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INTERNET GOVERNANCE: 
THE FUTURE OF ICANN 


WEDNESDAY, SEPTEMBER 20, 2006 

U.S. Senate, 

Subcommittee on Trade, Tourism, and Economic 

Development, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Subcommittee met, pursuant to notice, at 10:05 a.m. in room 
SR-253, Russell Senate Office Building, Hon. Ted Stevens, 
Chairman of the Committee, presiding. 

OPENING STATEMENT OF HON. TED STEVENS, 

U.S. SENATOR FROM ALASKA 

The Chairman. Let me start this hearing. 

Senator Smith has been delayed. He will be along. I do thank 
him for scheduling this hearing on ICANN, and we want to thank 
the witnesses for coming to participate. 

We’re proud that the Internet was developed with research fund- 
ing from the Department of Defense Advanced Research Project 
Agency to establish a military network. Today, the Internet con- 
tinues to evolve and flourish, mostly through private investment. 
One critical part of the Internet is the management of domain 
names, and ICANN is the nonprofit corporation responsible for co- 
ordinating the management of the technical elements of the do- 
main-name system of the Internet. It also oversees the distribution 
of identifiers used in Internet operations. 

When ICANN was created, it was expected to transition into a 
freestanding, financially sound organization by the year 2000. The 
Department of Commerce extended this Memorandum of Under- 
standing with ICANN several times, and the current MOU is set 
to expire within 1 month. ICANN’s current system for managing 
the domain-name system is working, but the feeling is that more 
needs to be done to improve the process and transparency. And 
we’re going to look forward to the statement of witnesses here 
today. 

Senator Burns, do you have any comments? 

STATEMENT OF HON. CONRAD BURNS, 

U.S. SENATOR FROM MONTANA 

Senator Burns. Well, no, Mr. Chairman, but I would say that 
there’s quite a lot of interest in this, and to make sure that this 
moves forward, especially this issue between the two entities of 
ICANN and VeriSign, and make sure that they’ve got the resources 

( 1 ) 
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for an ever-increasing load that they have to handle. I look forward 
to getting an update. That’s the reason I’m here today; I want an 
update on where we are on this process, because it’s a very tender 
and — it’s a very important issue, as far as the operation of the 
Internet is concerned. 

So, thank you for this hearing, and we might get going to the 
witnesses. 

The Chairman. Yes, we’ll reserve the space at the beginning of 
the hearing for Senator Smith’s statement that he may wish to put 
in the record. 

Our first witnesses are John Kneuer, the Assistant Secretary for 
Communications and Information of the Department of Commerce, 
and Jon Leibowitz, Commissioner of the Federal Trade Commis- 
sion. 

I assume that it’s all right if you start, Mr. Kneuer. 

STATEMENT OF JOHN M.R. KNEUER, ACTING ASSISTANT 
SECRETARY FOR COMMUNICATIONS AND INFORMATION, 
NATIONAL TELECOMMUNICATIONS AND INFORMATION 
ADMINISTRATION, DEPARTMENT OF COMMERCE 

Mr. Kneuer. Thank you. Thank you. Chairman Stevens, Senator 
Burns, for this opportunity to testify before you on the progress of 
ICANN in meeting its obligations under its MOU with the Depart- 
ment of Commerce. 

The Department continues to believe that the stability and secu- 
rity of the Internet domain name and addressing system can best 
be achieved by transitioning the coordination of the technical func- 
tions related to the management of DNS to the private sector. The 
vehicle for achieving this goal is the MOU between the Department 
and ICANN. 

The Chairman. Can you pull that mike a little bit toward you, 
please? Thank you. 

Mr. Kneuer. As the Committee will recall, ICANN was formed 
in 1998 in response to the Department of Commerce’s call for a 
partner to lead the transition to the private-sector management of 
the DNS. The Department plays no role in the internal governance 
or day-to-day operations of ICANN; however, under the terms of 
the MOU, we offer expertise and advice on the transition, and mon- 
itor ICANN’s performance of the MOU tasks. 

The current MOU was deliberately crafted to permit the Depart- 
ment and ICANN to measure progress toward concrete goals and 
objectives. When this current MOU was entered into, in September 
2003, ICANN had just completed an internal review and reform ef- 
fort. As well, ICANN was in the process of implementing the struc- 
tural and organizational changes that would be necessary to com- 
plete that process. In the course of the past 3 years, ICANN has 
successfully met many of the MOU’s date-specific milestones. 

The current MOU expires on September 30, 2006. Over the 
course of the past year, the Department has conducted an internal 
review of its relationship with ICANN. To complement the Depart- 
ment’s internal review, NTIA initiated a public consultation proc- 
ess to obtain views of all interested stakeholders in ICANN. We re- 
ceived and analyzed over 700 written responses from individuals, 
private corporations, trade associations, nongovernmental entities. 
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and foreign governments. The public consultation revealed broad 
support for continuing the transition of the DNS to the private sec- 
tor through a continued partnership between the Department and 
ICANN. A majority of interested stakeholders continue to endorse 
the original principles put forth in the DNS transition: stability 
and security, competition, bottom-up policy coordination, and broad 
representation. Equally important, the consultation process re- 
vealed strong support for more specific focus on transparency and 
accountability, and the continued involvement of the Department of 
Commerce in this transition. 

As we approach the end of the term of this MOU, we are working 
with ICANN to negotiate the next phase of our continued partner- 
ship. 

I would also like to focus briefly on the WHOIS database. The 
U.S. Government continues to believe that ICANN should enforce 
the existing contractual obligations of domain name registrars and 
registries in the collection and maintenance of accurate registrant 
contact data. The Department and other U.S. agencies strongly 
support continued timely access to accurate and publicly available 
WHOIS data. We believe WHOIS data is critical to meeting a vari- 
ety of public policy objectives, including those of law enforcement 
and intellectual property concerns. 

In conclusion, the Department continues to be supportive of the 
private-sector leadership in the coordination of the DNS. The De- 
partment continues to support the work of ICANN as the coordi- 
nator of these technical functions. Both ICANN and the Depart- 
ment agree that preserving the security and stability of the Inter- 
net DNS is a critical priority that will guide the next stage in the 
transition process. 

Thank you, and I’ll be happy to answer any questions. 

[The prepared statement of Mr. Kneuer follows:] 

Prepared Statement of John M.R. Kneuer, Acting Assistant Secretary for 

Communications and Information, National Telecommunications and Infor- 
mation Administration, Department of Commerce 

Mr. Chairman, 

Thank you and the members of the Committee for this opportunity to testify on 
the progress of the Internet Corporation for Assigned Names and Numbers (ICANN) 
under the Memorandum of Understanding (MOU) between ICANN and the Depart- 
ment. 

The Administration recognizes the critical importance of the Internet to the eco- 
nomic and social well-being of the United States and the global community, and is 
committed to its future growth. The Department has been charged with preserving 
the stability and security of the Internet’s underlying infrastructure — the domain 
name and addressing system. I am pleased to have this opportunity to share the 
results of our efforts to date, as well as our perspective for the future. 

The Department’s Relationship With ICANN 

The Department continues to believe that the stability and security of the Inter- 
net domain name and addressing system (DNS) can best be achieved by 
transitioning the coordination of the technical functions related to the management 
of the DNS to the private sector. The vehicle for achieving this goal is the MOU 
between the Department and ICANN. As the Committee will recall, ICANN was 
formed in 1998 in response to the Department of Commerce’s call for a partner to 
lead the transition to private sector management of the DNS. 

In September 2003, the Department and ICANN agreed to renew the MOU for 
a period of 3 years, with several date-specific milestones and broad tasks aimed at 
guiding ICANN to a stable, independent, and sustainable organization. The expecta- 
tion of the Department was that the three-year timeframe would allow ICANN suffi- 
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cient opportunity to formalize appropriate relationships with the organizations that 
form the technical underpinnings of the Internet, secure the necessary resources to 
ensure its long-term independence, improve its mechanisms for broad participation 
by all Internet stakeholders, and continue to improve its decisionmaking processes. 
The Department plays no role in the internal governance or day-to-day operations 
of the organization. However, under the terms of the MOU, the Department mon- 
itors and ensures that ICANN performs the MOU tasks, and offers expertise and 
advice on certain discrete issues. 

As you may recall, this relationship was the focus of much debate at last year’s 
United Nations World Summit on the Information Society. To provide clarity to this 
debate, the Administration issued the U.S. Principles on the Internet’s Domain 
Name and Addressing System. In this set of principles, the Administration reiter- 
ated its commitment to preserving the security and stability of the Internet domain 
name and addressing system; recognized that governments have legitimate public 
policy and sovereignty concerns with respect to the management of their country 
code top level domains; reaffirmed its support for ICANN; and encouraged continued 
dialogue on Internet governance issues. After much discussion and debate, and with 
your help and support, the international community arrived at a consensus on the 
importance of maintaining the stability and security of the Internet, the effective- 
ness of existing Internet governance arrangements, and the importance of the pri- 
vate sector in day-to-day operations of the Internet. 

Measuring Progress 

The current MOU was deliberately crafted to permit the Department and ICANN 
to measure progress toward discrete goals and objectives. When this MOU was en- 
tered into in September 2003, ICANN had just completed an internal review and 
reform effort, and was well into the process of implementing the structural and or- 
ganizational changes called for through that process. In the course of the past 3 
years, ICANN has successfully met many of the MOU’s date-specific milestones, 
which included the following: 

• developing a strategic plan addressing administrative, financial and operational 
objectives; 

• developing a contingency plan to ensure continuity of operations in the event 
ICANN incurs a severe disruption of such operations, by reason of bankruptcy, 
corporate dissolution, natural disaster or other financial, physical or operational 
event; 

• conducting a review of corporate administrative and personnel requirements 
and corporate responsibility mechanisms; 

• developing a financial strategy to secure more predictable and sustainable 
sources of revenue; 

• improving its processes and procedures for the timely development and adoption 
of policies related to the technical management of the DNS; 

• implementing reconsideration and review processes, including an Ombudsman 
and commercial arbitration clauses in ICANN contracts; 

• developing a strategy for the introduction of new generic top level domains, in- 
cluding internationalized domain names; 

• enhancing broader participation in ICANN processes by the global community 
through improved outreach, regional liaisons, and multilingual communications; 

• publishing annual reports on community experiences with the WHOIS Data 
Problem Reports System, used to report inaccuracies in the submission of 
WHOIS data by domain name registrants; and 

• publishing annual reports on the implementation of the WHOIS Data Reminder 
Policy, which domain name registrars are required to send to domain name reg- 
istrants. 

ICANN has also made steady progress toward the MOU’s broader tasks, includ- 
ing: entering into an agreement with the Regional Internet Registries to facilitate 
the development of global addressing policy, and developing and implementing new 
accountability framework agreements with many country code top level domain op- 
erators. 

WHOIS Policy Development 

I would like to focus briefly on the WHOIS database issue. First, the U.S. Govern- 
ment believes that ICANN should enforce the existing contractual obligations of do- 
main name registrars and registries for the collection and maintenance of accurate 
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registrant contact data. The Department and other U.S. agencies ^ strongly support 
continued, timely access to accurate and publicly available WHOIS data contained 
in the databases of information identifying registrants of domain names. We believe 
WHOIS data is critical to meeting a variety of public policy objectives and have been 
proactively advocating this position at ICANN meetings. At the most recent meeting 
in June 2006, the United States formally tabled a statement clarifying our perspec- 
tive that a public WHOIS database is essential to: 

• assist civil and criminal law enforcement in resolving cases that involve the use 
of the Internet, combat intellectual property infringement and theft; 

• support Internet network operators responsible for the operation, security and 
stability of the Internet; 

• protect the rights of consumers by facilitating, for example, their identification 
of legitimate online businesses; and 

• assist business in investigating fraud, phishing, and other violations of laws. 

We are continuing to advance our perspective within ICANN, including working 
with other governments to develop more formal public policy advice on the purpose 
and use of WHOIS data. 

Future Relationship 

The current MOU expires on September 30, 2006. Over the course of the past 
year, the Department has conducted an internal review of its relationship with 
ICANN. To complement the Department’s internal review of ICANN’s progress 
under the MOU, the National Telecommunications and Information Administration 
(NTIA) initiated a public consultation process to obtain the views of all interested 
stakeholders. In May 2006, NTIA issued a Notice of Inquiry on the Continued Tran- 
sition of the Technical Coordination and Management of the Internet Domain Name 
and Addressing System to solicit views on such issues as: 

• ICANN’s progress in completing the core tasks and milestones contained in the 
current MOU, and whether these activities are sufficient for transition to pri- 
vate sector DNS management by the scheduled expiration date of the MOU, of 
September 30, 2006; 

• Whether the principles underlying ICANN’s core mission ii.e., stability, competi- 
tion, representation, bottom-up coordination and transparency) remain relevant 
and whether additional principles should be considered; 

• Determining whether the tasks and milestones contained in the current MOU 
remain relevant, and/or whether new tasks would be necessary; 

• Assessing whether all key stakeholders are effectively represented and involved 
in ICANN’s activities, and if not, how that could be accomplished; and 

• Whether new methods or processes should be considered to encourage greater 
efficiency and responsiveness. 

NTIA received and analyzed over 700 responses from individuals, private corpora- 
tions, trade associations, nongovernmental entities, and foreign governments. NTIA 
invited a representative sample of these interested stakeholders to participate in a 
public meeting on July 26, 2006. Representatives from the Regional Internet Reg- 
istries, the root server operators, registrars, registries, country code top level do- 
main operators, the Internet Society, the Internet research and development com- 
munity, trademark interests, the user community, the business community, and a 
representative from the Canadian government shared their perspectives on the 
questions NTIA posed to the global Internet community. Well over one hundred in- 
terested stakeholders participated in the public meeting. 

This public consultation process revealed broad support for continuing the transi- 
tion of the coordination of the technical functions related to the management of the 
DNS to the private sector through the continued partnership between the Depart- 
ment and ICANN. A majority of interested stakeholders continue to endorse the 
original principles put forward to guide the DNS transition — stability and security; 
competition; bottom-up policy coordination; and broad representation. Equally im- 
portant, the consultation process revealed strong support for a more specific focus 
on transparency and accountability in ICANN’s internal procedures and decision- 


^NTIA chairs an interagency ICANN Working Group composed of representatives from the 
Department of Commerce, the Justice Department, the Federal Trade Commission, the State 
Department, the Patent and Trademark Office, the Federal Bureau of Investigation, the Inter- 
nal Revenue Service, and the Department of Homeland Security that develops and coordinates 
U.S. positions on issues pending before the ICANN Governmental Advisory Committee. 
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making processes, and the continued involvement of the Department of Commerce 
in this transition. 

As we approach the end of this term of the MOU, we are working with ICANN 
to negotiate the next phase of our continued partnership. 

Conclusion 

In conclusion, the Department continues to be supportive of private sector leader- 
ship in the coordination of the technical functions related to the management of the 
DNS as envisioned in the ICANN model. Furthermore, the Department continues 
to support the work of ICANN as the coordinator for the technical functions related 
to the management of the Internet DNS. Both ICANN and the Department agree 
that preserving the security and stability of the Internet DNS is a critical priority 
that will guide/govern the next stage in the transition process. 

Thank you and I would be happy to answer any questions that you may have. 

The Chairman. Thank you. 

Mr. Leibowitz? 

STATEMENT OF HON. JON LEIBOWITZ, COMMISSIONER, 
FEDERAL TRADE COMMISSION 

Mr. Leibowitz. Thank you, Mr. Chairman, Senator Burns. I’m 
pleased to be here in this beautiful, newly renovated hearing room 
on behalf of the Federal Trade Commission. 

I ask that the Commission’s written statement be made part of 
the record. My oral testimony reflects my own views, and not nec- 
essarily the views of any other Commissioner. 

This morning I want to focus my remarks on the importance of 
continued, unrestricted access to WHOIS information. Simply put, 
our ability to protect consumers is being placed at risk by a move- 
ment within ICANN to limit WHOIS to technical purposes only 
and, thus, prevent law enforcement and the public from using this 
critical resource to identify scammers who operate websites. 

Those who want to restrict access to WHOIS databases are no 
doubt sincere in their efforts to protect privacy. I’ve met with them 
and I know they are. But the irony of their position is that any at- 
tempt to cabin WHOIS information so narrowly could actually jeop- 
ardize the ability of the FTC and other law enforcement authorities 
to protect people’s privacy by stopping, for example, spam, spyware, 
and identity theft. That’s an outcome nobody wants. 

Because this is such an important issue, in June the Commission 
sent a delegation to the ICANN meeting in Morocco, where we 
joined with several of our foreign consumer protection counterparts 
to emphasize to ICANN the importance of access to WHOIS. We 
understand that in the wake of that meeting the ICANN advisory 
body is reevaluating its earlier decision. 

Mr. Chairman, we certainly hope so, because the future of 
ICANN is really on the line here. It has to show the leadership 
necessary to properly govern the Internet. 

Having said that. I’ve met with the ICANN Board, they do un- 
derstand the seriousness of the WHOIS issue, and my strong sense 
is that they’re committed to doing the right thing. 

From our perspective at the Commission, access to WHOIS data- 
bases raises four important considerations: first, law enforcement’s 
ability to obtain information about malefactors who use Internet 
websites; second, consumers’ ability to know who they’re dealing 
with when they engage in e-commerce; third, businesses’ ability to 
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serve important functions; and, fourth, very important individual 
privacy interests. 

First, law enforcement. The FTC frequently challenges a wide 
variety of Internet-related threats, for example, spam, spyware, 
phishing, deceptive health claims, and get-rich-quick schemes. 
Whether acting to stop fraud or otherwise protecting consumers, 
our investigators need to identify offenders who hide behind the 
electronic shield of the Internet. 

For the past decade, we’ve used WHOIS databases in virtually 
all of our Internet investigations. In fact, WHOIS is often one of 
the first tools we use to identify wrongdoers. 

Sometimes, we can unmask the bad guys and learn their where- 
abouts from WHOIS databases. And even when scammers provide 
false information — and, sadly, all too often WHOIS information is 
inaccurate — WHOIS data may still provide invaluable leads. Con 
artists sometimes provide the same phony information for multiple 
websites, so WHOIS sometimes enables us to link seemingly unre- 
lated scams. 

Second, consumers themselves need to know who they’re doing 
business with. This is especially true in an online environment. 
Continued public access to WHOIS data provides consumers with 
essential contact information if an online seller fails to deliver 
goods or services as promised. Consumer self-help is vital to ensur- 
ing consumer confidence in our market economy — and, often, to re- 
solve disputes before they reach law enforcement. 

Third, business access to WHOIS data also serves an important 
public policy purpose. Last week, I was on the West Coast, meeting 
with some of our leading Internet companies. These companies fre- 
quently rely on WHOIS databases to take real-time action against 
phishers and identity thieves who are using their brands to target 
their customers. Impeding businesses ability to quickly take down 
scams will only further the risk of serious consumer harm. 

Of course, the FTC is concerned about legitimate privacy inter- 
ests. We have always recognized at the Commission that individual 
noncommercial registrants may require protection from public ac- 
cess to their contact information without compromising appropriate 
access by law enforcement. Think, for example, of the dissident 
who needs anonymity. But from our perspective, anyone selling a 
product or engaged in commercial activity should have to publicly 
reveal who they are. It’s just that simple. 

Mr. Chairman, we do want to thank you for your leadership on 
this issue, also you. Senator Burns. And I think I’m getting close 
to my time limit, so I’m happy to answer any questions, with Mr. 
Kneuer. 

[The prepared statement of Mr. Leibowitz follows:] 

Prepared Statement of Hon. Jon Leibowitz, Commissioner, 

Federal Trade Commission 

I. Introduction 

Good morning, Mr. Chairman, and members of the Subcommittee, I am Jon 
Leibowitz, a Commissioner of the United States Federal Trade Commission (FTC or 
Commission).! I appreciate the opportunity to appear before you today to discuss 
Internet governance. Specifically, my testimony will focus on the importance of con- 
tinued public and law enforcement access to WHOIS databases. Simply put, the 
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FTC is concerned that attempts to limit the purpose of WHOIS databases will 
hinder its ability to protect consumers and their privacy. 

As you know, WHOIS databases are information directories containing contact in- 
formation about website operators. The FTC has long recognized that WHOIS data- 
bases are critical to the agency’s consumer protection mission, to other law enforce- 
ment agencies around the world, and to consumers. In fact, 4 years ago, the Com- 
mission testified before Congress on the importance of improving the accuracy of in- 
formation in WHOIS databases.^ Most recently, in July 2006, the Commission testi- 
fied before a subcommittee of the House Committee on Financial Services on the 
importance of preserving public access to WHOIS data.^ 

The Internet Corporation for Assigned Names and Numbers, commonly referred 
to as ICANN, is currently engaged in a policy development process that could mod- 
ify the information that is maintained on public WHOIS databases. In April 2006, 
ICANN’s Generic Names Supporting Organization (GNSO), the organizational body 
within ICANN that is evaluating the proposed changes to WHOIS databases, voted 
to limit the purpose of WHOIS databases to technical purposes only.'' 

Because of its concern about preserving access to WHOIS databases, the FTC at- 
tended the ICANN meeting in Marrakech, Morocco in June to highlight the impor- 
tance of public access to WHOIS databases. On behalf of the FTC, I participated 
in a panel comprised of representatives of law enforcement agencies from other 
countries. I was joined by the Chairman of the Independent Post and Telecommuni- 
cations Authority in the Netherlands (OPTA) that enforces anti-spam laws, and a 
Deputy Director of Japan’s Telecommunications Consumer Policy Division in the 
Ministry of Internal Affairs and Communications. Together, we emphasized the im- 
portance of law enforcement access to WHOIS databases and encouraged the GNSO 
to reconsider its decision to adopt the narrow purpose definition for WHOIS data- 
bases. The Commission understands that, in part because of these discussions, the 
GNSO is re-evaluating its decision. 

The FTC is pleased to continue this dialogue today by providing this statement 
on the importance of public WHOIS databases in enforcing consumer protection 
laws and in empowering consumers. First, the testimony provides some general 
background about the FTC. Then, the testimony describes how the FTC uses 
WHOIS databases for its law enforcement purposes, discusses the importance of 
consumer and business access to WHOIS data about commercial websites and other 
legitimate uses of WHOIS data, and addresses the privacy concerns that some 
stakeholders have raised about public access to WHOIS databases. The statement 
concludes with some of the FTC’s recommendations on how to move forward. 

II. FTC Enforcement of Consumer Protection Laws 

The FTC is the only Federal agency empowered to enforce both competition and 
consumer protection laws. The principal consumer protection statute that the FTC 
enforces is the FTC Act, which prohibits “unfair or deceptive acts or practices.”® The 
FTC Act authorizes the FTC to stop businesses from engaging in such practices. The 
FTC also can seek monetary redress and other equitable remedies for consumers in- 
jured by these illegal practices. 

The FTC has used its authority against “unfair or deceptive acts or practices” to 
take action against a wide variety of Internet-related threats, including Internet 
auction fraud,® Internet-based pyramid schemes,^ websites making deceptive health 
claims,® and websites promoting “get rich quick” schemes.® More recently, the Com- 
mission has focused its actions against deceptive claims delivered through spam,'® 
“phishing” schemes," and sp 3 rware — all violations of consumer privacy that WHOIS 
data help us eliminate." In many of these cases, the FTC has worked cooperatively 
with its consumer protection counterparts across the globe. 

In addition, the FTC has made a high priority of protecting consumers’ privacy 
and improving the security of their sensitive personal information, both online and 
offline. The FTC has brought several law enforcement actions targeting unfair and 
deceptive practices that involve the failure to protect consumers’ personal informa- 
tion.'® Indeed, as announced earlier this year, the FTC created a new Division of 
Privacy and Identity Protection to address specifically the need to protect consumer 
privacy and the security of consumers’ personal information. 

The FTC also promotes consumer welfare in the electronic marketplace through 
education, outreach, and advocacy. For example, FTC staff provides guidance to 
businesses advertising and marketing on the Internet ''' and to consumers about 
what they should look for before making purchases and providing information on- 
line.'® 
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III. How the FTC Uses WHOIS Databases 

FTC investigators and attorneys have used WHOIS databases for the past decade 
in multiple Internet investigations. WHOIS databases often are one of the first tools 
FTC investigators use to identify wrongdoers. Indeed, it is difficult to overstate the 
importance of quickly accessible WHOIS data to FTC investigations. 

For example, in the FTC’s first spyware case, FTC v. Seismic Entertainment, the 
Commission charged that the defendants exploited a known vulnerability in the 
Internet Explorer browser to download spyware to users’ computers without their 
knowledge.!® The defendants’ software hijacked consumers’ home pages, delivered 
an incessant stream of pop-up ads, secretly installed additional software programs, 
and caused computers to slow down severely or crash. The spyware in this case was 
installed using so-called “drive-by” tactics — exploiting vulnerabilities to install soft- 
ware onto users’ computers without any notice. Using WHOIS data, the FTC found 
the defendants, stopped their illegal conduct, and obtained a judgment for millions 
of dollars in consumer redress. It is uncertain whether the FTC would have been 
able to locate the defendants without the WHOIS data. 

In another matter, the FTC cracked down on companies that illegally exposed un- 
witting consumers to graphic sexual content without warning.!® 'pjjg Commission 
charged seven entities with violating Federal laws that require warning labels on 
e-mail containing sexually-explicit content. In these cases, accurate WHOIS infor- 
mation helped the FTC to identify the operators of websites that were promoted by 
the illegal spam messages. 

Information in WHOIS databases is most useful when it is accurate. Indeed, the 
Commission has advocated that stakeholders work to improve the accuracy of such 
information, because inaccurate data has posed significant obstacles in FTC inves- 
tigations.!® 

In some instances, though, even inaccurate WHOIS information can be useful in 
tracking down Internet fraud operators. One of the FTC’s recent spyware cases in- 
volved defendants that used free lyric files, browser upgrades, and ring tones to 
trick consumers into downloading spyware onto their computers.^® Rather than re- 
ceiving what they opted to download, consumers instead received spyware with code 
that tracked their activities on the Internet. In this particular investigation, several 
of the defendants’ websites were registered to a non-existent company located at a 
non-existent address. Despite the registrant’s use of false information, FTC staff 
was able to link the websites to each other because all of the registrations listed 
the same phony name as the administrative contact in the WHOIS databases. Of 
course, with a “narrow purpose” WHOIS, it is not clear that even such inaccurate 
registration information would be available. 

Having “real-time” access to WHOIS data is particularly important for a civil law 
enforcement agency like the FTC. Where a registrar is located in a foreign jurisdic- 
tion, the FTC often has no other way to obtain the information it needs. The FTC 
cannot, in most cases, readily require a foreign entity to provide us with informa- 
tion. Thus, particularly in cross-border cases, WHOIS databases are often the pri- 
mary source of information available to the FTC about fraudulent domain name reg- 
istrants.^! 

In short, if ICANN were to restrict the use of WHOIS data to technical purposes 
only, it would greatly impair the FTC’s ability to identify Internet malefactors 
quickly — and ultimately stop perpetrators of fraud, spam, and spyware from infect- 
ing consumers’ computers. 

rV. How Consumers Use WHOIS Databases 

Consumers also benefit from access to WHOIS data for commercial websites. 
Where a website does not contain contact information, consumers can go to the 
WHOIS databases and find out who is operating the website. This helps consumers 
resolve problems with online merchants directly, without the intervention of law en- 
forcement authorities. Indeed, it is crucial that consumers continue to have the abil- 
ity to settle disputes prior to — or instead of — law enforcement involvement. 

Consumers do in fact regularly rely on WHOIS databases to identify the entities 
behind websites. FTC staff recently searched the FTC’s database of consumer com- 
plaints, and found a significant number of references to the term “WHOIS.” These 
results indicate that when consumers encounter problems online, the WHOIS data- 
bases are a valuable initial tool they use to identify the people with whom they are 
dealing. Consumer access to WHOIS also helps the FTC because it allows con- 
sumers to gather valuable contact information that they can pass on to the Commis- 
sion — information that might no longer be available by the time the agency initiates 
an investigation because the website operators have moved on to different sites or 
different scams. 
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The Organization for Economic Cooperation and Development (OECD) has recog- 
nized that consumer access to WHOIS data about commercial websites serves an 
important public policy interest. In 2003, the OECD Committee on Consumer Policy 
issued a paper unequivocally stating that “[fjor commercial registrants, all contact 
data should be accurate and publicly available via WHOIS.” In support of this 
conclusion, the paper states: 

Easy identification of online businesses is a key element for building consumer 
trust in the electronic marketplace. Because a website has no obvious physical 
presence, consumers are deprived of many of the usual identifying characteris- 
tics that help instill trust in a traditional retailer . . . While the most obvious 
location for an online business to provide contact details is on the website itself, 
domain name registration information can serve as a useful compliment [sic].^^ 

This OECD paper represents an international consensus about the importance of 
accurate and accessible WHOIS data for consumers. 

V. Other Legitimate Uses of WHOIS Data 

There are other legitimate private users of WHOIS databases — businesses, finan- 
cial institutions, nongovernmental organizations, and intellectual property rights 
owners — all of which heavily rely on access to accurate WHOIS data. Although the 
ETC does not represent these entities’ interests in the WHOIS debate, their use of 
WHOIS databases can help consumers. For example, a financial institution con- 
cerned about the misuse of its name by “spoofing” its website is not only protecting 
its own business interests, but it is also protecting its customers from being 
“phished.” 

The Red Cross recently explained how it used WHOIS data to shut down fraudu- 
lent websites that mimicked its website after Hurricane Katrina in connection with 
donation scams. The simple yet crucial point is this: many legitimate uses of 
WHOIS data by the business community and other nongovernmental organizations 
have an important, and often ignored, consumer protection dimension. Their contin- 
ued access to WHOIS information often helps protect consumers from online scams 
and deception. 

VI. WHOIS Databases and Privacy 

Concerns about the privacy of domain name registrants have driven much of the 
WHOIS debate. The ETC, a primary enforcement agency for U.S. consumer privacy 
and data security laws, is very concerned about protecting consumers’ privacy. Thus, 
the Commission has always recognized that registrants engaged in noncommercial 
activity may require some privacy protection from public access to their contact in- 
formation, without compromising appropriate real-time access by law enforcement 
agencies.^® The FTC supports the further study of how this goal could be achieved. 
In the meantime, however, at the very least, the FTC believes that ICANN should 
preserve the status quo and reject limiting the WHOIS databases to technical uses. 

Restricting public access to WHOIS data for commercial websites would deprive 
the public of the ability to identify and contact the operators of online businesses 
and would contravene well-settled international principles. If people want to do 
business with the public, they should not be able to shield their basic contact infor- 
mation. The 1999 OECD Guidelines on Electronic Commerce state that consumers 
should have information about commercial websites “sufficient to allow, at a min- 
imum, identification of the business . . . [and] prompt, easy and effective consumer 
communication with the business.”^® Thus, commercial website operators have no 
legitimate claim for privacy, and the public should continue to have access to their 
WHOIS data.27 

Moreover, the existing availability of WHOIS databases can actually help enforce- 
ment agencies find out who is violating privacy laws and, consequently, help prevent 
the misuse of consumers’ personal information. For example, WHOIS databases 
were invaluable in FTC investigations in phishing cases where the defendants 
sought to steal sensitive personal and financial information from consumers. In ad- 
dition, the spyware cases discussed earlier also involve serious threats to consumer 
privacy, as spyware can monitor consumers’ Internet habits and can even retrieve 
sensitive consumer information, including financial information, by logging key- 
strokes. WHOIS data has helped the FTC to stop these privacy violations and, hope- 
fully, will continue to do so. 

VII. Recommendations 

In light of the FTC’s experience in enforcing consumer protection laws, the FTC 
made several recommendations to the ICANN community at its meeting in June. 
This testimony summarizes the recommendations the Commission made to the 
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ICANN community and then concludes with a recommendation that Congress enact 
the U.S. SAFE WEB Act, which the Senate passed on March 16, 2006.^® 

A. Recommendations to ICANN Community 

The FTC made three recommendations to the ICANN community. First, the FTC 
recommended that the GNSO reconsider and reverse its position that the WHOIS 
databases should be used for technical purposes only. If this narrow purpose were 
to be adopted, the FTC, other law enforcement agencies, consumers, and businesses 
would not be able to use the WHOIS databases for their legitimate needs. This 
would hurt consumers around the world and could allow Internet malefactors to vio- 
late consumer privacy with impunity. The Commission understands that the GNSO 
is currently taking steps to incorporate the input of the FTC and other law enforce- 
ment agencies into its final recommendation to the ICANN Board. 

Second, the FTC encouraged members of ICANN’s Governmental Advisory Com- 
mittee (GAC) to continue their outreach with law enforcement colleagues in their 
respective countries to reinforce the serious law enforcement and consumer protec- 
tion implications of losing access to WHOIS databases. The Commission is pleased 
to note that GAC members from several countries are undertaking such an effort. 

Third, the FTC recommended that ICANN carefully consider improvements in 
WHOIS databases. For example, as the OECD statements referenced above make 
clear, there is simply no reason to prevent access to contact information for a com- 
mercial website. The ETC urged ICANN to consider additional measures to improve 
the accuracy and completeness of domain name registration information. The FTC 
is also interested in exploring the viability of “tiered access” as a solution capable 
of satisfying privacy, consumer, and law enforcement interests.^® Restricting the 
purpose of the WHOIS databases does not satisfy any of these interests and is a 
step in the wrong direction. Maintaining accessibility and enhancing the WHOIS 
databases would make great strides toward improving the safety and fulfilling the 
promise of the Internet. 

B. U.S. SAFE WEB Act 

The FTC has previously recommended that Congress consider enacting the U.S. 
SAFE WEB Act, passed by the Senate on March 16, 2006. The Commission con- 
tinues to recommend enactment of this legislation, which would give it additional 
tools to fight fraud. Even with the current access to WHOIS databases, the Commis- 
sion needs these additional tools. If the Commission’s access to WHOIS data be- 
comes unavailable, the Commission’s need for the tools provided by the U.S. SAFE 
WEB Act becomes even more critical. 

The U.S. SAFE WEB Act would make it easier for the FTC to gather information 
about Internet fraud from sources other than WHOIS databases. For example, the 
U.S. SAFE WEB Act would help the ETC obtain information and investigative as- 
sistance from foreign law enforcement agencies. It would also allow the FTC to ob- 
tain more information from the private sector and from financial institutions about 
Internet fraud. The FTC’s ability to obtain information under the U.S. SAFE WEB 
Act is no substitute for real-time, desktop access to WHOIS data. Where such data 
is limited, inaccurate, unavailable, or inapplicable, however, having access to a 
broader range of investigative sources about Internet and other cross-border fraud 
would surely help. 

VIII. Conclusion 

In sum, the FTC believes that improvements need to be made to the current 
WHOIS database system and is committed to working with others toward a solu- 
tion. In the meantime, ICANN should ensure that WHOIS databases are kept open, 
transparent, and accessible so that agencies like the FTC can continue to protect 
consumers, and consumers can continue to protect themselves. Further, Congress 
should enact the U.S. SAFE WEB Act to provide the FTC with additional tools to 
fight Internet and other fraud. Together, these tools will help ensure that consumers 
are free from deceptive practices that undermine the promise of the Internet. 
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Borders (“U.S. SAFE WEB Act”), S. 1608, 109th Cong. (2006) (sponsored by Sen. G. 
Smith, passed by the Senate, Mar. 16, 2006). 

Tiered access refers to a system in which different categories of stakeholders 
would get different levels of access to WHOIS databases. 

The Chairman. What was the example you used? 

Mr. Leibowitz. Oh, of dissidents. Right. We believe that you can 
make a — at the Commission, you can make a distinction between 
commercial and noncommercial entities. So, if someone’s selling a 
product on the Internet, they should have to publicly reveal their 
contact information. All too often, that contact information is hid- 
den behind proxy registrations, even for commercial entities. And 
a lot of the time, when someone is a scammer or trying to rip off 
consumers, they deliberately use proxy registrations to try to cloak 
themselves in Internet anonymity. It makes it much harder for us 
to go after these malefactors. And that’s true for law enforcement 
agencies in the United States and, really, around the world. But we 
also recognize that some people may need some anonymity if 
they’re not engaged in a commercial activity. It seems to us that 
makes sense. But this is an issue that needs to be thought through 
by ICANN and by NTIA. 

The Chairman. Thank you very much. 

Mr. Kneuer, I think the $64-billion question is, should this agree- 
ment be extended? It expires in a month. 

Mr. Kneuer. And I think the short answer is yes, it should be 
extended. We conducted a public consultation over the summer. We 
had more than 700 written comments. We had a public forum at 
the Department of Commerce, where interested stakeholders, from 
governments to private companies to registrars and registries, at- 
tended. I think that consultation reflected broad support for 
ICANN, that the private-sector management of the DNS is clearly 
the appropriate path forward, that ICANN is clearly the appro- 
priate vehicle for that private-sector management. But I think 
there was also clear indications that — in order for ICANN to be a 
really lasting and sustainable institution, that we need to continue 
to make more progress on issues of accountability and trans- 
parency, and the vehicle of the MOU to help them through that 
process is still appropriate. 

The Chairman. How long has the current agreement been in 
place? 

Mr. Kneuer. The current agreement was for 3 years. Histori- 
cally, we have extended these MOUs periodically from 1 year to 3 
years. The 1-year extensions would come up quickly, so we made 
the last one 3 years. I think it would be appropriate to consult with 
ICANN concerning our review of the record, to come up with an ap- 
propriate time period that clearly indicates that we continue to be 
committed to the transition, but, at the same time, provide ade- 
quate time for ICANN to make some measurable progress on these 
issues of transparency and accountability. 

The Chairman. Have you discussed the length of that MOU, the 
time frame, with your counterparts in other countries? 

Mr. Kneuer. Not in other countries. This is an agreement be- 
tween the Department of Commerce and ICANN. 

The Chairman. But doesn’t it have international implications? 
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Mr. Kneuer. It does have international implications, and I speak 
periodically and fairly regularly with my regulatory counterparts in 
other countries around the world that have interest in this. The 
issue of more governmental involvement in ICANN was an issue 
that was raised at the World Summit on the Information Society 
in Tunisia last year, and the clear answer to that was that the con- 
tinued private-sector model was affirmed. 

The Chairman. Well, I’ve had indications from other Senators 
that when they started to open up and seek a domain name, they 
found that name had already been reserved by someone else, but 
it was for sale to them. Have you looked into that? 

Mr. Kneuer. Not explicitly in that context, but that’s clearly 
something that we’re happy to work on with you, or your staff. 

The Chairman. Mr. Leibowitz, has the FTC gone into that at all? 

Mr. Leibowitz. Well, I think, for the most part, this — I think it’s 
called “domain-name tasting” and “parking,” where people may 
sample a domain name without having to pay, or may just hold it 
for a certain amount of time, even if they don’t use it. They raise 
some public policy questions for us, because, again, a lot of the 
fraudsters hide behind temporary Internet websites. And so it is a 
concern. We’ve talked to NTIA about it. We’ve talked to ICANN 
about it, too. And we know that — we know that they’re taking this 
seriously. 

The Chairman. Well, isn’t it part of identity theft if someone 
goes and takes my name and registers it as a domain name, and 
then uses that domain name out to — in the world? Isn’t that iden- 
tity theft? Why don’t you look at that? 

Mr. Leibowitz. Well, we do, and we brought a number of cases 
in this area. I mean, technically, identity theft is when they do 
something bad with your name, like steal your credit card informa- 
tion or steal other personal information. 

The Chairman. Well stealing my name is still stealing, isn’t it? 

Mr. Leibowitz. It’s a very legitimate public policy concern, and 
it’s something that we have looked at. We’ve brought a bunch of 
cases against phishers, identity thieves, cybersquatters, and other 
Internet malefactors. 

The Chairman. Thank you. 

Senator Burns? 

Senator Burns. Well, they could have mine. 

[Laughter.] 

Senator Burns. Not very many people have gone through a busi- 
ness failure. And I had to go through one, one time. And I prayed — 
something like that. 

But, anyway, how long should we extend this MOU? I mean, 
you’re recommending that it be extended. How long should it be ex- 
tended? 

Mr. Kneuer. Well, as I said, we’re in discussions with ICANN 
about the appropriate formalization of our relationship, going for- 
ward, and the period of time. Like I said, we’ve done longer exten- 
sions and shorter extensions. I think the important thing, at the 
end of the day, is that we provide enough time for ICANN to 
achieve meaningful progress on these issues of accountability and 
transparency, and, at the same time, we don’t create, an “in-per- 
petuity,” going forward. I want to be cognizant of the fact that this 
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is a transition that we undertook, that we intend to complete, but, 
at the same time, I want there to be enough time to be realistic 
for real change to take place. 

Senator Burns. Well, Mr. Kneuer, have they — what milestones 
have they not met to complete this transition? 

Mr. Kneuer. Most of the milestones that ICANN has met were 
with regards to the brick and mortar of putting together an institu- 
tion, having a budget in place, coming up with contingency plans, 
having staffing, making sure that they have technical competency 
and expertise. On the issues of accountability and transparency 
and on having the invested support of all of the constituencies that 
make up ICANN, having firm relationships with the root-zone op- 
erators, and with the regional Internet registries, they’ve made 
progress on some of these. But the larger thematic of making sure 
that each of those constituencies are confident that ICANN has 
processes in place that are transparent and that there are means 
for accountability, it’s those broader thematic developments that I 
think we need to be focused on going forward. 

Senator Burns. OK. I think maybe — that’s all the questions I 
have for this panel, Mr. Chairman. We should talk more about 
those milestones and Internet transparency, what’s expected by the 
Department, what’s expected by us, because we’re talking about an 
organization that’s very, very important to us. 

So, I thank you for that information. 

Mr. Leibowitz. Mr. Chairman? 

The Chairman. Senator Pryor? 

Pardon me. 

Mr. Leibowitz. I was just going to say, Mr. Chairman, could I 
just come back to a question you asked me? You asked me about 
people who are doing basically bad things to American consumers 
on the Internet. And a lot of those folks are from out of the coun- 
try. And your Committee passed a bill, the U.S. SAFE WEB Act, 
which would allow us to more effectively work with foreign law en- 
forcement agencies — really, to protect American consumers by 
sharing information. It has passed your Committee. It passed the 
Senate by unanimous consent, and the House hasn’t taken it up 
yet. And anything you can do to help act on this noncontroversial 
bill, which really would help us do the things you want us to do, 
would be really appreciated in the waning days of this session and 
this Congress. 

The Chairman. Thank you for that. 

Senator Pryor? 

STATEMENT OF HON. MARK PRYOR, 

U.S. SENATOR FROM ARKANSAS 

Senator Pryor. Thank you, Mr. Chairman. 

Mr. Leibowitz, let me follow up on that point. It sounds like that 
this Committee and the Senate have acted to try to put some tools 
in your hands that you feel like we need, and it sounds like that 
has a big international dimension to it. Is that right? 

Mr. Leibowitz. That’s exactly right. Senator. 

Senator Pryor. And I assume one of the real challenges you have 
is the international aspects of the Internet. 
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Mr. Leibowitz. Well, of course it is, because at this point, right 
now, we can’t share confidential information, by law, with our for- 
eign law enforcement sister agencies. It’s an anomaly in the law 
and everyone agrees that it should be changed. And foreign law- 
enforcement agencies can’t share information with us, because it’s 
FOIA-able. So, of course, they won’t do that. And if we can em- 
power them to help us, I think that will be enormously helpful in 
trying to do the things you want us to do and really bringing more 
cases effectively. 

Senator Pryor. Does the Federal Trade Commission have any 
real control over the Internet right now? 

Mr. Leibowitz. No, we do not have control over the Internet. We 
try to bring cases, when we can, against Internet malefactors, of 
course, and we have brought a number of them. 

Senator Pryor. Should it have any control over the Internet? 

Mr. Leibowitz. Well, I think we should have the ability to effec- 
tively prosecute cases. And we can do some of that now, but we 
could be much more effective if this legislation was passed. And 
one of the reasons why we’re so concerned about this movement 
within ICANN to limit access to what’s now public information is 
that it will make it even more difficult for us to find out who the 
bad guys are. It will be particularly hard for us if we have to go 
to Internet registrars — and there are 800, I believe, of them, more 
or less — in foreign countries, and they don’t have to give us any in- 
formation, and that information isn’t available. 

Senator Pryor. Right, OK. And, I’m sorry, you’re going to have 
to pronounce your name for me. Is it Kneuer? 

Mr. Kneuer. Kneuer. 

Senator Pryor. Mr. Kneuer, I am very interested in the possi- 
bility, at least, of setting up a dot-xxx domain. I think that — and 
I may have it wrong, but I think that this would be a — an impor- 
tant step to cleaning up the Internet. I have a real concern. I have 
two young children — not that young; sixth and seventh grade — and 
they’re just getting, kind of, prime Internet-exposure age, and I 
have a lot of concern about them. And I think every parent in 
America is concerned, or should be concerned, about the Internet. 
And I think the dot-xxx domain could be an important step in 
maybe making the Internet safer in a lot — in a lot of different ways 
for our children and for this country, and, really, for the world. But 
as I understand it, NTIA urged ICANN to reject the dot-xxx do- 
main, and I’m curious if you know how that happened and why 
that happened? 

Mr. !^euer. Thank you. Senator. I absolutely share your con- 
cern. I’ve got two small children of my own — too small for the 
Internet, but I constantly worry about what happens when they get 
to be the age of your children, and older. 

ICANN did consider the adoption of a dot-xxx domain name, and 
they ultimately did not adopt that. There was communication from 
NTIA and the Department of Commerce into the ICANN process 
on two fronts with regards to dot-xxx. The first was a communica- 
tion that said, “As you are examining this, there appears to be a 
great deal of interest from a great deal of entities about this, and, 
as part of your bottom-up deliberative process, you should have an 
opportunity, and create an opportunity, for all interested stake- 
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holders to express their views.” So, we wrote a letter asking them 
to do that. Other governments wrote similar letters. 

I wrote a second letter, later, talking about, precisely, the poten- 
tial public policy benefits that would fiow from dot-xxx. If there 
were to be a dedicated domain, let’s make sure that there are en- 
forceable steps to make sure that pornography is limited to those 
sorts of sites. And it was simply a factual inquiry to say, “We’ve 
heard a list of public policy commitments. Are they being made en- 
forceable?” 

As I said, ultimately through the process, dot-xxx was not fully 
adopted, but 

Senator Pryor. Is that because you just want more time to ex- 
amine the value of dot-xxx? 

Mr. Kneuer. Well, I think it was through — as I said, communica- 
tions we made into the ICANN Government Advisory Committee. 
Other governments made similar inquiries. Large numbers of pri- 
vate entities made comments, both in favor of and against. I don’t 
believe we ever established a formal position, one way or another. 
Our comments with regards to dot-xxx, which are public, were 
along the lines of process, making sure that everybody had an op- 
portunity to weigh in, and then raising factual questions about, 
what would be the potential enforcement of these public policy ben- 
efits that could accrue from dot-xxx? 

Senator Pryor. Will ICANN revisit this in the future? 

Mr. Kneuer. I believe, under ICANN’s processes, there are peri- 
ods for reconsideration and review. My understanding is they’re 
currently undergoing that with regards to dot-xxx. There is a fairly 
transparent and open application process for the establishment of 
new top-level domains, so I don’t believe that there is anything 
that would preclude further consideration of whether it is dot-xxx 
or some other domain name. 

Senator Pryor. And that’s my last question, that you mentioned, 
transparency and openness and accountability. I think both of you 
have talked about this in your statements and in answering ques- 
tions. What can NTIA do to help improve the level of transparency 
and accountability? What needs to happen there? 

Mr. Kneuer. Well, I think that is the function of our MOU. The 
MOU does not create a relationship between the Department of 
Commerce and ICANN that is one of regulator and regulated; it is 
much more of a partnership. This was a U.S. Government function 
that we unilaterally are transferring to the private sector. And we 
have the MOU to help them with that transition and to help them 
develop those processes. So, to the extent being dedicated to being 
a closer observer than perhaps others might be, and sharing with 
them our insights and our views, being a sounding board for those 
sorts of issues, we help them work through this transition. So, that 
would be my expectation of what the ongoing relationship would 
entail, us helping them come up with processes that are trans- 
parent to the constituent membership, and the interested stake- 
holders so that they understand how they can interrelate with 
ICANN, that all views are heard and considered through the bot- 
tom-up coordination process, and that decisionmaking is account- 
able. 

Senator Pryor. Thank you, Mr. Chairman. 
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The Chairman. Well, thank you very much. 

Pardon me for mispronouncing your name, Mr. Kneuer. I don’t 
know whether you want to be “Knowwer” or “Knewer,” but sorry. 

[Laughter.] 

The Chairman. We do appreciate your help and consideration. I 
thank you for your plug for the bill we’ve passed in the Senate, and 
we still are trying to wait and see whether the House will pass 
that. It passed over here unanimously, so it should not be causing 
any problems over there. We do thank you for your help. 

Mr. Kneuer. Thank you, Mr. Chairman. 

The Chairman. Do you have any further questions. Senator? 

Senator Burns. I do not. 

The Chairman. So, we’ll turn to panel 2, then. Gentlemen, thank 
you very much. 

Our next panel is Dr. Paul Twomey, President and CEO of Inter- 
net Corporation for Assigned Names and Numbers; Mr. Ken Silva, 
Chief Security Officer for VeriSign; and Ms. Christine Jones, Gen- 
eral Counsel and Corporate Secretary for The Go Daddy Group. 

We thank you very much for being willing to testify here today 
to help us further understand the situation with regard to ICANN. 

Dr. Twomey, would you like to commence, please? 

STATEMENT OF DR. PAUL TWOMEY, PRESIDENT/CEO, 
INTERNET CORPORATION FOR ASSIGNED NAMES AND 
NUMBERS (ICANN) 

Dr. Twomey. Good morning 

The Chairman. Pull the mike toward you, please. 

Dr. Twomey. All right. Thank you. 

The Chairman. Thanks. 

Dr. Twomey. Good morning, Mr. Chairman, and members of the 
Committee. May I say how pleased I am to be — appear again in 
front of your Committee. Thank you for the opportunity to speak 
before the Subcommittee in my role as President and Chief Execu- 
tive of the Internet Corporation for Assigned Names and Numbers. 

ICANN is a private-sector organization performing a global func- 
tion, with our main office in Marina del Rey, California. ICANN 
has been recognized by the world community as the global authori- 
tative body on the technical and organization means to ensure the 
stability, interoperability of the DNS and the distribution of Inter- 
net protocol addresses and other unique identifiers. 

Since appearing before the Senate Committee on Commerce, 
Science, and Transportation nearly 2 years ago 

The (Chairman. I hate to tell you, but people in the back of the 
room are not hearing you. 

Dr. Twomey. OK, sorry. 

The Chairman. Can you pull the mike toward you, sir? 

Dr. Twomey. There we go. Thank you sir. 

The Chairman. Thank you. 

Since appearing before the Subcommittee nearly 2 years ago, 
ICANN has continued to take great steps forward in solidifying its 
role as the international private-sector entity tasked to provide 
technical coordination of the domain-name system. Since its origins 
in 1998, ICANN has helped secure a stable and secure Internet 
that creates a presumption of universal resolvability. ICANN has 
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fostered ^eater choice, lower costs, and better services to DNS reg- 
istrants, including over 10 million businesses in the United States 
alone. 

The Internet requires a stable and secure system of unique iden- 
tifiers if it is to serve the global community efficiently and reliably. 

At the core of ICANN’s mission is global interoperability of a sin- 
gle Internet. ICANN was established to serve the Internet commu- 
nity by maintaining the stability and security of the Internet’s 
unique identifier system and fostering competition, where appro- 
priate, to give Internet users greater choice at optimal cost. 

ICAlSlN’s successful coordination of its community underpins the 
operation of the global Internet. Each day, the system supports an 
estimated 30 billion resolutions, nearly ten times the number of 
phone calls in North America each day. There are currently more 
than 1 billion users of the Internet. Due to the universal DNS re- 
solvability, secured and coordinated by ICANN, the Internet ad- 
dresses resolve in the same way for every one of the Internet’s 
global users once online. 

ICANN is entering into six new agreements with gTLD registry 
operators in the last 2 years, including .net, .travel, .cat, .jobs, 
.mobi, and .tel. All the pending agreements have set out language 
with a greater accountability to ICANN on security and stability 
concerns, and also provide greater opportunities for ICANN to act 
in the event of actions of registries or such other issues that might 
arise from registry operator actions or practices. 

One particular agreement, the dot-com agreement, is part of a 
larger overall settlement of a longstanding dispute with VeriSign 
over its desire to introduce new registry services. That dispute 
arose with the creation of ICANN and has been resolved in a way 
that would enhance the performance of both entities to the benefit 
of all the users of the Internet. 

ICANN has been engaged in a longstanding and important rela- 
tionship with the U.S. Government and — since ICANN’s inception. 
And I note the previous panel’s discussion of the MOU. 

ICANN continues in its relationship with the U.S. Government 
and has recently entered into a new 5-year arrangement for 
ICANN to manage the Internet, assign names, and a numbers au- 
thority, lANA function — sorry — the Internet Assigned Numbers Au- 
thority. Additionally, ICANN and the NTIA are in the final stages 
of discussions which will confirm an appropriate continuing rela- 
tionship toward the transition of the coordination of the technical 
functions related to the management of the DNS to the private sec- 
tor. And this, we think, will recognize ICANN’s global private-sec- 
tor role, providing technical management of the DNS in a manner 
that provides stability and security, competition, coordination, and 
representation. 

One of the greatest achievements of ICANN has been the suc- 
cessful creation, support, and coordination of an ICANN community 
in creation of bottom-up policymaking processes supported by var- 
ious stakeholders involved in the DNS. The evolution of this proc- 
ess continues in many ways, but may I point to two important re- 
cent actions: 

This week, the ICANN Board, having reviewed the comments 
about ICANN and its processes, and particularly issues around 
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transparency and accountability that the Committee has already 
mentioned, generated from the Committee during the past year, 
has commenced review of its own guiding principles and is pub- 
lishing, soon, a set of private-sector management operating prin- 
ciples which will be offered for public review. 

And last week, the London School of Economics provided 
ICANN — an ICANN-commissioned independent third-party review 
of one of ICANN’s key policy development supporting organiza- 
tions, the Generic Name Supporting Organization. The information 
contained in this review will likely result in consideration of addi- 
tional improvements to ICANN’s GNSO and supporting organiza- 
tion structure. Such ongoing evolution and review is an important 
part of our policy process. 

May I just make some quick notes, then, on the issue of WHOIS, 
to state that ICANN is dedicating resources in this operational 
budget to better enforcement of the existing policy we have for 
WHOIS. There is a process presently underway among some of the 
constituencies of the ICANN process to discuss the WHOIS topics, 
as has been pointed out by previous speakers, but there is a long 
way to go before there would be any change; and, if there was any 
discussion coming from many of the other constituencies, there 
may be no change at all. I’d like to point out that all of the people 
who we’re representing here today have all had the opportunity, 
and will continue to have the opportunity, to input into that discus- 
sion, but, at the moment, there is no change to ICANN’s WHOIS 
policy. 

Since 1998, our self-governance model has succeeded in address- 
ing stakeholder issues as they appeared and bringing lower costs 
and better services to DNS registrants. One point I’d like to par- 
ticularly point out, partly coming to the question from you. Chair- 
man, is that ICANN’s uniform domain name — Universal Domain- 
Name Dispute-Resolution Policy has been successful and of great 
value to individuals, businesses, and intellectual property holders. 
The policy enables them to assert — in allow them to assert their 
rights on domain names and to bring an online arbitration system 
for dealing with just the sorts of disputes that you pointed out be- 
tween people who should own a particular domain name. The 
UDRP has resolved more than 17,000 disputes over the rights to 
domain names and has proven to be an efficient and cost-effective 
way of alternate dispute resolution. 

If I could just finish my testimony by pointing out that in the in- 
troduction of new gTLD registries and introduction of greater com- 
petition amongst registrars, domain-name costs to registrants in 
the lifetime of ICANN have declined by as much as 80 to 90 per- 
cent, with savings both for consumers as — consumers and busi- 
nesses. ICANN looks forward to working closely with people giving 
evidence here, the Committee, and others, as we go forward to com- 
pleting our transition to private-sector coordination. 

Thank you. 

[The prepared statement of Dr. Twomey follows:] 
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Prepared Statement of Dr. Paul Twomey, President/CEO, Internet 
Corporation for Assigned Names and Numbers (ICANN) 

Introduction 

Good morning, Chairman Smith, and members of the Committee. Thank you for 
the opportunity to speak before this Subcommittee in my role as President and CEO 
of the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is 
a private sector organization performing a global function, with our main office in 
Marina del Hey, California. ICANN has been recognized by the world community 
as the global authoritative body on the technical and organizational means to en- 
sure the stability and interoperability of the DNS, and the distribution of IP ad- 
dresses. 

ICANN’s Role in Internet Governance 

Since appearing before the Senate Committee on Commerce, Science, and Trans- 
portation nearly 2 years ago, ICANN has continued to take great steps forward in 
solidifying its role as the international private sector entity tasked to provide tech- 
nical coordination of the domain name system (DNS). 

The limited and distinct mission of the Internet Corporation for Assigned Names 
and Numbers is clearly set out in Article I of ICANN’s Bylaws. ICANN: 

1. Coordinates the allocation and assignment of the three sets of unique identi- 
fiers for the Internet, which are: 

a. Domain names (forming a system referred to as “DNS”); 

b. Internet protocol (IP) addresses and autonomous system (AS) numbers; and 

c. Protocol port and parameter numbers. 

2. Coordinates the operation and evolution of the DNS root name server system. 

3. Coordinates policy development reasonably and appropriately as they relate 
to these technical functions. 

Since its origins in 1998, ICANN has helped secure a stable and secure Internet 
that creates a presumption of universal resolvability. ICANN has fostered greater 
choice, lower costs and better services to DNS registrants, including over ten million 
businesses in the United States alone. The Internet requires a stable and secure 
system of unique identifiers if it is to serve the global community efficiently and re- 
liably. 

At the core of ICANN’s mission is global interoperability of a single Internet. 
ICANN was established to serve the Internet community by maintaining the sta- 
bility and security of the Internet’s unique identifier systems, and fostering competi- 
tion where appropriate to give Internet users greater choice at optimal cost. 

ICANN’s successful coordination of its community underpins the operation of the 
global Internet. Each day this system supports an estimated 30 billion resolutions, 
nearly 10 times the number of phone calls in North America per day. There are cur- 
rently more than one billion users of the Internet. Due to the universal DNS resolv- 
ability secured and coordinated by ICANN, the Internet addresses resolve in the 
same way for every one of the Internet’s global users once online. 

ICANN has entered into six new agreements with gTLD registry operators (in- 
cluding .NET, .TRAVEL, .CAT, .JOBS, .MOBI, and .TEL) in the last 2 years (and 
has finalized negotiations and is waiting for approval of 5 others). All of the pending 
agreements have set out language with a greater accountability to ICANN on secu- 
rity and stability concerns, and also provide greater opportunities for ICANN to act 
in the event of actions of registries, or such other issues that might arise from reg- 
istry operator actions or practices., including: (a) the .COM agreement (which is cur- 
rently pending approval by the U.S. Department of Commerce) and (b) four other 
registry agreements for .ASIA, .BIZ, .INFO and .ORG (which are subject to review 
by the ICANN Board of Directors during the next ICANN Board Meeting). 

The .COM agreement is part of a larger overall settlement of a long-standing dis- 
pute with VeriSign over its desire to introduce new registry services. That dispute 
arose with the creation of ICANN and has been resolved in a way that would en- 
hance the performance of hoth entities, to the benefit of all of the users of the Inter- 
net. ICANN and VeriSign Board’s have both approved settlement documents that 
would permit the parties to act together in a concerted way to protect the overall 
security and stability of the Internet. Further, if VeriSign were ever to act in a man- 
ner that is inconsistent with the interests of the Internet community, ICANN has 
built additional mechanisms into the agreement to resolve such disputes promptly 
and effectively. 



22 


Continuing Relationship With the United States Government 

ICANN has been engaged in a long-standing and important relationship with the 
U.S. Government since ICANN’s inception, which has been administered by the U.S. 
Department of Commerce’s NTIA. ICANN is about to successfully complete the sixth 
separate amendment to its original Memorandum of Understanding with the DOC. 

ICANN will continue in its relationship with the U.S. Government, having re- 
cently entered into a new 5-year arrangement for ICANN to manage the Internet 
Assigned Numbers Authority (lANA) function. Additionally, ICANN and the NTIA 
are in the final stages of discussions, which will confirm an appropriate continuing 
relationship and will recognize ICANN’s global private sector role providing tech- 
nical management of the DNS in a manner that promotes stability and security, 
competition, coordination, and representation. 

ICANN’s Private-Sector Multi-Stakeholder Model and its Continuing 
Evolution 

One of the greatest achievements of ICANN has been the successful creation, sup- 
port and coordination of an ICANN Community and creation of the bottom-up pol- 
icymaking process supported by various stakeholders involved in the DNS. Since 
ICANN’s creation, the Internet community stakeholders, have vigorously discussed 
and reviewed ICANN’s mission and values. Accordingly, ICANN has continued to 
build into a robust entity, and has continued to evolve ICANN’s multi-stakeholder 
model, which remains encapsulated in ICANN’s Bylaws and its Mission and Core 
Values. 

The evolution continues in many ways, but most recently in the following actions: 

1. This week, the ICANN Board, having reviewed the comments about ICANN 
and its processes generated from the community during the past year, has com- 
menced a review of its own guiding principles and is publishing a set of Private- 
Sector Management Operating Principles (ICANN PSMOPs), which will be of- 
fered for public review. 

2. Last week, the London School of Economics provided an ICANN-commis- 
sioned independent third-party review of one of ICANN’s key policy develop- 
ment supporting organizations, ICANN’s Generic Name Supporting Organiza- 
tion (GNSO). The information contained in this review will likely result in con- 
siderations of additional improvements to ICANN’s GNSO and supporting orga- 
nizational structure. 

ICANN’s Continuing Accomplishments 

Since 1998, ICANN’s self-governance model has succeeded in addressing stake- 
holder issues as they have appeared, and bringing lower costs and better services 
to DNS registrants and everyday users of the Internet. 

ICANN has been continuing its efforts to manage and adapt in the face of contin- 
ued and dynamic growth of the Internet. ICANN, with the efforts of the ICANN Se- 
curity and Stability Advisory Committee, has worked to make the Domain Name 
System more resistant to external attack. 

ICANN has undertaken significant work in relation to Internationalized Domain 
Names (IDNs) that will enable people across the world to interact with the Inter- 
net’s domain name system in their own languages, which will work to avoid the cre- 
ation of alternate root systems. Working in coordination with the appropriate tech- 
nical communities and stakeholders, ICANN’s adopted guidelines have opened the 
way for domain registration in hundreds of the world’s languages. 

ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP) has been 
highly successful and of great value to individuals, businesses and intellectual prop- 
erty holders. The policy enables them to assert in allowing them to assert their 
rights against domain name squatters and infringers of intellectual property inter- 
ests. The UDRP has resolved more than 17,000 disputes over the rights to domain 
names, and proven to be efficient and cost effective for those utilizing this alter- 
native dispute resolution mechanism. 

After significant study and discussion, and working with the accredited gTLD reg- 
istrars, ICANN developed a domain name transfer policy enabling domain name 
holders to transfer management of their domain name from one registrar to another 
readily. The implementation of this policy has been highly successful and has been 
an important step in providing additional registrar market changes and greater 
choice to consumers. 

ICANN continues to introduce new Top Level Domains to give registrants right 
of choice. These include the introduction of seven new gTLDs in 2000 and four addi- 
tional ones so far from the 2004 sponsored top-level domain name round. 
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ICANN re-bid the .NET registry during 2005, resulting in a new agreement being 
executed between ICANN and VeriSign. ICANN has proposed five additional gTLD 
agreements with the registry operators of .ASIA, .BIZ, .COM, .INFO, and .ORG. All 
of the newly proposed registry agreements contain new language supporting 
ICANN’s role in the security and stability of the DNS. 

The market competition for generic Top Level Domain (gTLD) registrations estab- 
lished by ICANN has lowered domain name costs in some instances by as much as 
80 to 90 percent, with savings for both consumers and businesses. Additional detail 
is provided below. 

Registry-Registrar Level Competition 

Since ICANN was founded in 1998, ICANN has entered into many private arms- 
length agreements with registries (that operate the generic top-level domains), and 
with registrars (who are accredited by ICANN to sell domain names directly to con- 
sumers). Through these actions, ICANN has provided a private-sector solution and 
helped break down the monopoly position by a single dominant company, which pro- 
vided both registry and registrar functions to the majority of consumers purchasing 
domain names. 

In 1998, there were only three main generic top-level domain name registries 
(.COM, .NET, and .ORG) from which domain names could he purchased by Amer- 
ican small businesses. Only one company was running all three registries. Network 
Solutions (which was later acquired hy VeriSign). Most registrations by small busi- 
nesses were in .COM. 

There was a single registrar in 1998. That same company that ran the registries. 
Network Solutions, was the only registrar from which a consumer could purchase 
a domain name. The price of a single domain name in .COM in 1998, was approxi- 
mately $90.00 per domain name. The .COM Registry still controls a significant 
amount of the marketplace, but now less than 50 percent of the market, including 
ccTLD operators. 

The price for a .COM registration today depends upon where you purchase the 
name from, but in some instances the price of a domain name has been reduced by 
as much as 90 percent. Today, the price ranges from $7 to $35 per domain name. 
Go Daddy is now the largest registrar, displacing Network Solutions, which has 
been spun out of VeriSign. 

Consumers can choose from over 845 ICANN-Accredited Registrars, derived from 
more than 250 unique business groups (a significant number owning interests in 
multiple registrar companies), located in over 40 countries. 

Between 2000 and today, 11 new generic top-level domains have signed agree- 
ments with ICANN. Five of those (.CAT, .JOBS, .MOBI, .TEL and .TRAVEL) having 
signed agreements with ICANN in the last 18 months. 

Conclusion 

In conclusion Mr. Chairman, ICANN is committed to its continuing role as the 
private sector steward of a stable and globally interoperable Internet, and is com- 
mitted to fostering competition in the domain name marketplace. 

The Chairman. Thank you very much. We will look forward to 
coming back to you with some questions concerning your position. 

Our next witness is Mr. Ken Silva, the Chief Security Officer for 
VeriSign. 

STATEMENT OF KEN SILVA, CHIEF SECURITY OFFICER, 

VeriSign 

Mr. Silva. Thank you, Mr. Chairman. 

My name is Ken Silva, and I serve as Chief Security Officer for 
VeriSign. I also serve as the Chairman of the Internet Security Al- 
liance, as well as serving on the Board of Directors for the Informa- 
tion Technology — Information Sharing and Analysis Center. I’m 
also an advisor to the Bush Administration’s National Security 
Telecommunications Advisory Council. 

Internet governance is an important issue today, because the 
Internet is so critical to our national and economic security. The 
technology of the Internet has transformed personal communica- 
tions, banking and finance, government processes, and manufac- 
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turing. For example, 25 percent of America’s value moves over our 
networks each day. 

The United States is not the only country focused on Internet 
governance, however. A number of countries, such as China, Cuba, 
and Syria banded together last year in an attempt to shift control 
of the Internet over to the United Nations or the International 
Telecommunications Union. They did so, because they believe the 
United States has too much control over the Internet. Their efforts 
were not successful, in large part due to the outstanding efforts by 
the State Department and the Commerce Department. These coun- 
tries, however, have not given up on their goal. The dramatic rise 
in usage bears out the Internet’s importance globally. 

The dot-com bust gave the illusion that the Internet growth had 
slowed down, but, in fact, it has actually grown at a remarkable 
rate. At the height of the dot-com boom in 2000, for example, there 
were roughly 250 million people using the Internet. Today, that’s 
about a billion. So, that’s about a 300-percent increase since — over 
300-percent increase since 2000. 

So, there are two questions we would pose today. The first is, is 
the Internet able to meet the growing demands on its infrastruc- 
ture? And the second, is the Internet secure and reliable, and will 
it continue to be so? 

VeriSign’s role in supporting the Internet’s infrastructure gives 
us a unique perspective on the Internet and these questions. 
VeriSign operates two of the 13 authoritative “root” servers, includ- 
ing the A root. VeriSign also manages dot-com and dot-net domain 
registries. 

So, let’s start with the first question. Is the Internet able to meet 
the growing demands of the infrastructure? The answer is yes, as 
long as we continue to promote investment in the infrastructure. 
While users have increased 300 percent since 2000, the volume of 
traffic has increased 1900 percent. VeriSign is very proud of the 
fact that dot-com and dot-net systems have had 100 percent up- 
times 7 years straight. To support these functions, VeriSign has in- 
vested hundreds of millions of dollars in building a global network 
of computers that are a critical component of the Internet’s infra- 
structure. VeriSign is not alone in this. There are more than 250 
other such registries. It is, therefore, essential that a framework is 
in place, for all operators, that drives operational excellence so we 
can meet the demands of the Internet. 

Now to the second question. Is the Internet secure and reliable? 
While the Internet has operated remarkably well, we can never get 
lulled into a false sense of security. What makes for good security 
today is a vulnerability tomorrow. The very growth of Internet 
users, broadband capacity, and the number of Internet-enabled de- 
vices has created an opportunity for hackers, organized criminals, 
and, even more serious, terrorists to attack our networks. There- 
fore, we must continually probe our weaknesses and invest in and 
strengthen our networks. 

Let me give you some historical examples of what I’m talking 
about here. 

In October 2002, the Internet community got a wake-up call 
when 13 — all 13 of the DNS root servers came under a heavy de- 
nial-of-service attack. That attack was viewed at the time as the 
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largest attack ever to hit the Internet. It was viewed as a national 
crisis. Dick Clark, at the time, raised a red flag to this. There were 
a number of hearings on this subject, and a massive investigation 
by government to ensure that the root server system was secure. 

That attack, unfortunately, in 2002, while it was a massive at- 
tack and did affect a large number of the root servers, would be 
considered a very weak and feeble attack today. Just a few months 
ago, in January of this year, we observed an attack that was ten 
times that size and was targeted at the dot-com servers. We weath- 
ered that attack, but 1,500 other websites over a 6-week period of 
time did not bear the attack as well. Now, these hackers targeted 
their victims over a 6-week period of time, and they used about 
32,000 of what we estimate to be a half a million available re- 
sources to them. So, that’s just 6 percent of what’s available. This 
could have been much worse, and the fact — and, in fact, would 
have taken down even the largest ISPs, had it been directed at any 
of them. 

The lesson learned there is that we must be prepared against 
these threats. VeriSign, for example, has invested over $250 mil- 
lion on the Internet infrastructure, and expects to continue to in- 
vest significantly in the near-term to strengthen against the new, 
more devastating attacks. To put this investment in perspective, 
VeriSign today can manage 10,000 times the capacity of Internet 
traffic that it handled in 2000. 

We must move forward as an industry and a community to 
strengthen the Internet. In the last year, several steps have been 
taken by the community to ensure a strong Internet. Progress has 
been made on introducing internationalized domain names and ex- 
panding the number of Internet addresses. ICANN has also estab- 
lished a framework for registry operators that, one, gives ICANN 
the authority to fire an operator if it fails to meet its performance 
levels; two, provides incentives for continued investment; and, 
three, imposes safeguards for consumers. This new framework ad- 
vances the objective of security and stability by ensuring the nec- 
essary investment into the critical infrastructure. 

To conclude, Mr. Chairman, the last 5 years have brought pain- 
ful lessons on the importance of preparation. We must not lose that 
vigilance, and we must continually take steps to strengthen the 
Internet so it remains reliable and always available. 

I thank you for this opportunity to testify. 

[The prepared statement of Mr. Silva follows:] 

Prepared Statement of Ken Silva, Chief Security Officer, VeriSign 

Good morning. Chairman Smith, and distinguished members of the Committee. 
My name is Ken Silva and I serve as Chief Security Officer of VeriSign. 

VeriSign operates intelligent infrastructure services that enable and protect bil- 
lions of interactions every day across the world’s voice and data networks. The com- 
pany is headquartered in Mountain View, California, and it has additional corporate 
facilities in Virginia, Kansas, Washington State and Massachusetts. 

Thank you for the opportunity to testify today. I have a prepared statement, 
which I would request be inserted in the record. 

Internet governance is not a topic that 5 years ago would have been the subject 
of a Congressional hearing. The Internet was still relatively new and was not 
thought of yet as critical to our national and economic security. 

We have all witnessed, and learned, a lot over the last 5 years. We have had trag- 
ic reminders that our critical infrastructure and national symbols are targets. We 



26 


have seen how not adequately preparing for events can have disastrous con- 
sequences. And we have seen how questions of who controls our critical infrastruc- 
ture, such as the port issue, can spark controversy. 

And the United States is not the only country focused on Internet governance. In 
fact, a number of countries such as China, Cuba, and Syria last year sought to shift 
control of the Internet over to the United Nations or International Telecommuni- 
cations Union. They did so because they believe the United States has too much con- 
trol over the Internet. 

Their efforts were not successful in large part due to the outstanding efforts by 
the State Department and Commerce Department. These countries, however, have 
not given up on their goal. 

Internet governance is an important issue today because the Internet is critical 
to our national and economic security. The technology of the Internet has trans- 
formed personal communications, banking and finance, government process and 
manufacturing. Twenty-five percent of America’s economic value moves over net- 
work connections each day. If the Internet were to go down for a just few hours, 
we would lose hundreds of millions of dollars of economic activity. If it went down 
for several days, U.S. economic activity would be severely curtailed; payrolls would 
not be met, securities transactions not cleared; invoices not paid. 

So whether it’s Wal-Mart, the House of Representatives or a soccer mom checking 
e-mail to see if today’s practice is still on, we all rely on the Internet. 

The dramatic rise of Internet usage bears that out. 

The dot-com bust gave the illusion that Internet growth slowed down, but in fact 
it has grown at a remarkable rate. At the height of the dot-com boom in 2000, for 
example, roughly 250 million people used the Internet. Today, according to Internet 
World Stats, more than 1 billion users worldwide rely on the Internet, a 300 percent 
increase since 2000. 

So, there are two questions we would pose today: 

• Is the Internet able to meet the growing demands on its infrastructure? 

• Is the Internet secure and reliable? 

VeriSign’s role in supporting the Internet’s infrastructure gives us a unique per- 
spective on the Internet, and these questions. 

VeriSign operates two of the 13 authoritative “root” server operation centers that 
direct Internet traffic, including, at the request of the U.S. Commerce Department, 
the “A” Root Server. In this server, we maintain the authoritative address list of 
all Internet top-level domains. VeriSign also manages the “dot COM” and “dot NET” 
domain registries. These are the central databases that enable you as an Internet 
user to simply type in a domain name on your computer, such as “verisign.com,” 
and connect it over the Internet to the machine that hosts the proper website. 

Let’s start with the first question: Is the Internet able to meet the growing de- 
mands on its infrastructure? 

The answer is yes, as long as we continue to promote investment in the infra- 
structure. The explosion of Internet-enabled devices and applications — text mes- 
saging, music downloads, VoIP, Blackberries and device-to-device communications — 
has created exponential growth in Internet traffic far surpassing the increase in 
users. While users have increased 300 percent since 2000, the volume of traffic on 
.com and .net has increased 1,900 percent. 

VeriSign is proud of the fact that the .com and .net systems have had 100 percent 
uptime 7 years straight. To support these functions, VeriSign has invested hundreds 
of millions of dollars into building a global network of computers that are a critical 
component of the Internet’s infrastructure. 

VeriSign is not alone in this. There are more than 250 domain registries in the 
world — for domains such as .fr for France, .de for Germany and what are called ge- 
neric top-level domains such as .info, .org and .biz. All of these domains have reg- 
istry operators that, like VeriSign, must operate and invest in critical infrastructure 
to keep the systems running smoothly. 

It is therefore essential that a framework is in place for all operators that drives 
operational excellence so we can meet the coming demands for the Internet, such 
as broadcast quality video and other real-time high-bandwidth applications. 

Now, to the second question: Is the Internet secure and reliable? 

While the Internet has operated remarkably well we can never get lulled into a 
false sense of security. What makes for good security today is vulnerability tomor- 
row. We must continually probe our weaknesses and invest and strengthen our net- 
works. 

This very growth of Internet users, broadband capacity and number of Internet- 
enabled devices has created an opportunity for hackers, organized criminals and 
even more serious terrorists to attack our networks. Some do so for technical tro- 



27 


phies, some for political objectives, but today, most bad behavior on the Internet is 
done for financial gain. 

In fact, the very devices and increased bandwidth that make the Internet more 
robust and user friendly are being deployed to compromise the Internet. Now that 
computers are always-on, they are easily accessible to hackers and other abusers to 
hijack. And the increased bandwidth and computing power available literally gives 
hackers more ammunition to utilize against the infrastructure: 

• Regular PCs are being hijacked to mount these attacks. According to 
CipherTrust, more than 180,000 PCs are illegally hijacked each day and turned 
into zombies. 

• Hackers are utilizing the computing capacity available to their advantage. 
While a Jupiter Research report in 2004 found that the typical home needed 
less than 3 Mbps of bandwidth, that level has steadily grown and given the de- 
mands of gaming and video that capacity is expected to grow to 57 Mbps by 
2009. That means that hackers will have 19 times the computing capacity avail- 
able to them in the PCs they hijack in that period. 

Let me give you some historical examples of what types of attacks we as a com- 
munity have experienced. 

In October 2002, the Internet community got a wake-up call when the 13 DNS 
root servers, which serve as the heart of the Internet addressing system, came 
under heavy denial of service (DoS) attack. In these attacks, the hackers send count- 
less bogus inquiries to domain-name servers, which are computers that direct Inter- 
net traffic. By sending phony website requests to these servers, they overload and 
disable them, making websites unavailable. 

These attacks significantly impaired the operations of several of the root servers. 
The industry stepped up, and today an attack of that scale and type would be a blip 
on the radar. 

But hackers never give up innovating. In early January 2006, for example, a 
hacker systematically disabled over 1,500 websites using hijacked PCs. In these at- 
tacks, the hacker didn’t directly attack the domain-name servers. Instead, they sent 
their traffic to a legitimate server with a DNS query and a forged source address. 

In this case, the hacker also made the DNS query larger, by a factor of 70 times, 
which amplified the attack and further disabled the victims servers. 

These hackers used hijacked PCs to target their victims over a six-week time- 
frame. And the scary part is the hacker used a small fraction — 32,000 of 500,000 
PCs (or just 6 percent) — available to them. This could have been much worse, but 
it was still severe enough to significantly disrupt the operations of 24 registry opera- 
tors as well as hundreds of businesses. 

These attacks remain under investigation. 

The lesson learned is that we must be prepared against all threats. VeriSign, for 
example, has invested over $250 million in the Internet infrastructure and expects 
to continue to invest tens of millions of dollars in the near-term to strengthen it 
against potential attacks. 

To put that investment in perspective, VeriSign today can manage 10,000 times 
the capacity of Internet traffic that it handled in 2000. 

Looking Toward the Future 

The Internet is made up of a number of entities that all must work together. The 
root servers serve at the heart of Internet enabling Internet traffic to get to the 
right address, over 250 domain name registries around the world ensure that each 
of the domains is operational, service providers such as EarthLink provide service 
to businesses and consumers, and registrars provide the services that consumers use 
to register domain names. 

The task of maintaining the technical coordination of these sometimes disparate 
layers falls on ICANN, which gains its authority through a Memo of Understanding, 
or MOU, with the Department of Commerce. 

The Internet community’s challenge is to promote innovation so that consumers 
can do more while strengthening the infrastructure. 

In the last year, several steps have been taken by the Internet community to en- 
sure a strong Internet. Progress has been made on introducing internationalizing 
domain names and expanding both number of Internet addresses available. ICANN 
has also established a framework for registry operators that both rewards strong 
performance and provides incentives for investment and imposes safeguards for con- 
sumers. 

ICANN has implemented new agreements for the .net and .mobi agreements, and 
proposed new agreements for .com, .info, .biz and .org that incorporate these prin- 
ciples. These agreements, for example, give the operators flexibility to increase 
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prices while protecting Internet users by, in some cases, imposing limits on the lev- 
els of increases and requiring a six-month notice so consumers could lock in at exist- 
ing prices. 

This new framework advances the objective of security and stability by ensuring 
the necessary investment into the critical infrastructure. 

Finally, the question comes to ICANN itself. At the heart of the question is 
ICANN’s independence and what that means for the core infrastructure of the Inter- 
net. ICANN has taken steps, through its registry agreements, to become more finan- 
cially independent. Under the old model, one industry controlled ICANN’s budget 
and that was an unhealthy system. 

ICANN has taken steps to get additional funding from the registries without con- 
ditions, which means it will have more independence. 

To conclude, Mr. Chairman, the last 5 years have brought painful lessons on the 
importance of preparation. The Internet has worked — in fact, been taken for grant- 
ed — because we have stayed a step ahead of both the dramatic rise in Internet traf- 
fic as well as the nefarious efforts to do it harm. 

We must not lose that vigilance and continually take steps to strengthen the 
Internet so it remains reliable and always available. 

Thank you for this opportunity to testify. 

The Chairman. Thank you very much. 

I see Senator McCain is here. Senator, have you got a time-frame 
or do you wish to make a statement? 

STATEMENT OF HON. JOHN McCAIN, 

U.S. SENATOR FROM ARIZONA 

Senator McCain. Thank you, Mr. Chairman. I just would make 
a brief comment. Thank you for holding this hearing. 

I would point out that since the NTIA published its White Paper 
on the governance of the Internet’s naming and addressing system, 
we obviously — our government has aspired to turn over the tech- 
nical management of the DNS to private nonprofit that would be 
committed to several principles. 

I apologize for not being able to stay. I wanted to thank the wit- 
nesses. This is a very important issue. And one of my many con- 
cerns is truly making sure that competition and the resulting bene- 
fits to consumers exists in the DNS. 

And a lot of people don’t understand this issue, Mr. Chairman, 
but I think it’s a very important one, and I thank you for holding 
this hearing, and I hope we can move forward to a resolution to 
it. 

I thank you, Mr. Chairman. 

The Chairman. Thank you very much. 

We’ll next turn to Christine Jones, General Counsel, Corporate 
Secretary, for Go Daddy Group. Glad to have you with us. 

STATEMENT OF CHRISTINE N. JONES, GENERAL COUNSEL/ 
CORPORATE SECRETARY, THE GO DADDY GROUP, INC. 

Ms. Jones. Thank you. Good morning, Mr. Chairman, and mem- 
bers of the Committee. 

I’m Christine Jones — as you said. General Counsel and Corporate 
Secretary of The Go Daddy Group. We’re happy to be here with 
ICANN and VeriSign. We are ICANN’s largest benefactor and 
VeriSign’s largest customer, so we feel it’s only fitting that we 
should be sitting here at the table with them today. 

I’m going to focus my remarks on three principal issues that you 
raised with earlier witnesses: the renewal of the Memorandum of 
Understanding between the Department of Commerce and ICANN, 
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the .com Registry Agreement, and the security and stability of the 
Internet. 

The Go Daddy Group is an Arizona corporation. It consists of 
eight ICANN-accredited registrars, including GoDaddy.com, our 
flagship company. When I joined Go Daddy in 2002, it was a very 
small registrar, with well under 100 employees. Today, we have 
over 15 million domain names under management, and we’re the 
number-one registrar in the world. That means we register a do- 
main name once every 3 seconds or less. And every time we do, 
VeriSign gets another $6 from us. We currently employ over 1,200 
people, and we do not utilize any offshore outsourcing of any kind. 
And we’re committed to that. 

I want to talk about the renewal of the Memorandum of Under- 
standing. There was a DNS White Paper, which was first published 
in 1998. That paper articulated that principles of accountability, 
competition, private, bottom-up coordination and representation, 
were necessary for guiding the transition to private sector of the 
Internet domain-name system. And we believe that those principles 
still remain relevant today. 

ICANN has made some progress toward achieving some of the 
goals there, but not all of them. Specifically — and this was a ques- 
tion that came up with the government witnesses — ICANN has not 
yet achieved the competition goal, nor have they achieved this pri- 
vate, bottom-up coordination and representation called for even in 
their own bylaws. And the events of the last 2 years call into ques- 
tion whether or not ICANN will ever be able to accomplish those 
goals in the future. 

The MOU, which is set to expire next Saturday, should be ex- 
tended, but it should also be modified to stress the need to correct 
these deficiencies and require a clear roadmap from ICANN as to 
how it will regain the confidence of the community upon which its 
existence relies. This Committee’s commitment to ensuring ICANN 
appropriately administer that system is vital. 

Private, bottom-up coordination and representation should be a 
guiding principle in the ICANN policymaking process. While we 
have repeatedly urged ICANN to abide by this principle, they have 
chosen, instead, to conduct business behind closed doors and with- 
out input from the ICANN community. Unfortunately, ICANN has 
yet to commit to — or perhaps they are unable to commit to — open- 
ness, transparency, and accountability. The manner in which the 
new dot-com agreement was negotiated is a relevant example of 
ICANN and VeriSign getting together off the record, creating a mu- 
tually beneficial policy, and then boldly announcing that they have 
made a decision without input from any of the stakeholders. 

ICANN is responsible for an important public trust. To preserve 
that public trust, it is vital that all stakeholders have access to and 
recognize input into these types of discussions. The entire Internet 
community should be made to fully understand the reasons for 
ICANN’s decisions and to have effective and unbiased recourse if 
they have reason to question those processes and decisions. 

ICANN’s bylaws specifically state — and I’m quoting — “ICANN 
and its constituent bodies shall operate, to the maximum extent 
feasible, in an open and transparent manner and consistent with 
procedures designed to ensure fairness,” and, “in carrying out its 
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mission as set out in these bylaws, ICANN should be accountable 
to the community for operating in a manner that is consistent with 
these bylaws.” 

Now, despite those provisions, there is no appropriate account- 
ability mechanism in place to impartially review ICANN Board ac- 
tions. It doesn’t exist. There are two accountability and review 
mechanisms defined in the bylaws. One is called “reconsideration,” 
and one is called “independent review.” “Reconsideration” is basi- 
cally the Board reviewing itself. And “independent review” is a 
mechanism which is entirely untested and has never been used. 

We believe there needs to be an independent evaluation of how 
these accountability mechanisms have worked, or will work, and 
the implementation of any adjustments recommended as a result 
of that evaluation should be undertaken before any final transition 
can be contemplated. 

So, we believe the MOU must be revised to include openness and 
transparency as overall guiding principles if we are ever to see an 
effective transition of the Internet DNS management to the private 
sector through ICANN. 

We would be happy to be involved in the process of determining 
appropriate revisions, if that assistance would help move the ball 
forward. We’d be happy to volunteer to be involved in that. 

On security and stability, like all of us in this room and at this 
table. Go Daddy believes that the security and stability of the 
Internet is vital. We devote considerable time and resources to 
working with law enforcement on preserving the integrity and safe- 
ty of the Internet by quickly closing down websites and domain 
names engaged in illegal activities. We work with law enforcement 
agencies at all levels and routinely assist in a wide variety of crimi- 
nal and civil investigations. We’re also quick to respond to com- 
plaints of spam and phishing and pharming and online fraud, and 
the subject matter of yesterday’s hearing, Internet child pornog- 
raphy. And we work closely with anti-fraud and security groups 
such as the Anti-Phishing Working Group, the Digital PhishNet, 
the National Center for Missing and Exploited Children, and 
CyberTipline. 

I personally, and this company in general, have made it a high 
priority to use our position as a registrar to make the Internet a 
better and safer place, and we feel very strongly about that. 

We recognize that VeriSign also has an important role to play in 
the security and stability of the Internet. They manage the entire 
infrastructure that supports the largest generic top-level domain, 
the dot-com. That’s why it’s incrediWe to us that ICANN did not 
include an infrastructure investment requirement in the proposed 
dot-com agreement. In negotiating that agreement, VeriSign en- 
sured that their revenue would increase, and ICANN ensured that 
their budget would benefit, but who’s going to ensure the benefits 
of the public interest, as well? This Committee should insist that 
the agreement between VeriSign and ICANN require VeriSign to 
invest in continued infrastructure in the future. 

VeriSign has over a billion dollars at stake — $1 billion — if the 
proposed .com Registry Agreement is not approved. Because a sub- 
stantial portion of that $1 billion comes from Go Daddy customers. 
I’d like to focus on that agreement for a minute. 
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According to ICANN, 75 percent of all generic top-level domains 
are registered in the dot-com. Dot-com names accounted for over 80 
percent of the growth in the generic top-level domain-name space 
in 2005. Today, there are over 56 million dot-com names registered. 
One of those is SenatorStevens.com, I’m sure. We’ll be happy to try 
to help to track that down, if you’d like. That number is projected 
to grow to over 

The Chairman. Let me say that was just an example. 

[Laughter.] 

The Chairman. I don’t want to get involved in this anymore than 
I already am. 

[Laughter.] 

Ms. Jones. Yes, too late, sir. 

[Laughter.] 

Ms. Jones. OK, so that number is projected to grow to over 61 
million by the end of the year, and to over 350 million — 350 mil- 
lion — dot-com names by the end of 2012. That means VeriSign gets 
this huge windfall, if this agreement is approved. 

The form of presumptive renewal in the proposed agreement is 
simply anticompetitive. The form of renewal eliminates the possi- 
bility that dot-com could ever be rebid to allow true market mecha- 
nisms to set the price for dot-com. 

It’s important to note that when the dot-net contract was rebid 
last year, it resulted in a price reduction of over 28 percent, from 
$6 down to $3.50, a price that was appropriate to the then-existing 
market conditions. 

Other legitimate monopoly companies, such as the Bell Compa- 
nies, for example, must justify their price increases, and VeriSign, 
the monopoly provider, should be required to do the same. 

I’d like to thank you. Chairman Stevens and Senator Smith and 
the members of the Committee, for the generous invitation to tes- 
tify today. We agree that the secure future of the Internet is para- 
mount to the overall success of our economy, and that of the global 
community, as well. Your commitment to bringing attention to this 
issue is sincerely appreciated. 

Inasmuch as the current agreement between ICANN and 
VeriSign does not expire until November 10, 2007, I respectfully re- 
quest that this Committee direct the NTIA not to approve the 
agreement until such time as it has been reviewed in an open and 
transparent manner by the entire ICANN community. 

Thank you. 

[The prepared statement of Ms. Jones follows:] 

Prepared Statement of Christine N. Jones, General Counsel/Corporate 
Secretary, The Go Daddy Group, Inc. 

Introduction 

Good morning Mr. Chairman and members of the Committee. I am Christine 
Jones, General Counsel and Corporate Secretary of The Go Daddy Group, Inc. 

First, I would like to thank you, Chairman Smith, for the kind invitation to testify 
today regarding Internet governance and the future of the Internet Corporation for 
Assigned Names and Numbers (ICANN). We are thankful for your attention to this 
important issue and for recognizing that the Internet is a resource significant 
enough to deserve the attention of the U.S. Senate. We agree that its secure future 
is paramount to the overall success of our economy, and that of the global commu- 
nity, as well. The future of ICANN rests with the public that it was formed to ben- 
efit. That community’s confidence in ICANN has been shaken by the lack of open- 
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ness and transparency; by the apparent unwillingness of the ICANN Board of Direc- 
tors to be accountable to anyone but itself; and, the giant step backward that is now 
being taken by the introduction of anticompetitive registry agreements that threat- 
en to undo what progress has been made. 

The Memorandum of Understanding between ICANN and the Department of 
Commerce should be extended and modified to stress the need to correct these defi- 
ciencies and require a clear roadmap from ICANN as to how it will regain the con- 
fidence of the community upon which its existence relies. This Committee’s commit- 
ment to ensuring ICANN appropriately administer that system is vital. 

Background 

The Go Daddy Group, Inc. consists of eight ICANN-Accredited registrars, includ- 
ing GoDaddy.com. When I joined Go Daddy in early 2002, it was a very small reg- 
istrar with well under 100 employees. Today, we have over fifteen million domain 
names under management, and are the number one registrar in the world. That 
means we register a domain name once every 3 seconds or less. Go Daddy is also 
the largest provider of hostnames in the world today. We currently employ over 
1,200 people and do not utilize offshore outsourcing of any kind. 

The Go Daddy Group devotes considerable time and resources to working with 
law enforcement on preserving the integrity and safety of the Internet by quickly 
closing down websites and domain names engaged in illegal activities. We work 
with law enforcement agencies at all levels and routinely assist in a wide variety 
of criminal and civil investigations. We are also quick to respond to complaints of 
spam, phishing, pharming, and online fraud and work closely with anti-fraud and 
security groups such as the Anti-Phishing Working Group, Digital Phish Net, the 
National Center for Missing and Exploited Children, and CyberTipLine. I person- 
ally, and the company in general, have made it a high priority to use our position 
as a registrar to make the Internet a better and safer place. 

The Go Daddy Group has been an active supporter of ICANN processes for over 
5 years. We continue to believe in the validity of the transition of management of 
the Internet Domain Naming System (DNS) to the private sector, but we have seri- 
ous concerns regarding the progress of that transition to ICANN. 

The DNS White Paper, first published in 1998, articulated that principles of ac- 
countability, competition, private, bottom-up coordination, and representation are 
necessary for guiding the transition to private sector management of the Internet 
DNS. We believe those principles remain relevant, but our testimony will explain 
why we also believe those principles have not yet been fully accomplished by 
ICANN, and why the events of the last 2 years bring into question whether ICANN 
will be able to accomplish them in the future. 

Competition 

Significant progress has been made in regards to competition at the registrar 
level. However, that is only half the equation. The .com extension still maintains 
overwhelming dominance among the generic top level domain (gTLD) registries. In 
addition, the new form of registry agreement that has been proposed for the .com 
registry, as well as the other gTLD registries, threatens to further entrench that 
dominance and even negate competition at the registrar level: 

Proposed .com Registry Agreement 

It’s important to first understand the current metrics involved with the .com reg- 
istry: 

• According to the monthly registry reports posted on ICANN’s website, .com still 
accounted for 75 percent of all gTLD registered domain names at the end of 
2005, and accounted for over 80 percent of the growth in the gTLD name space 
during 2005. 

• The number of registered .com domain names is growing at increasing rates 
year over year. The .com registry increased by over 16 percent in 2003, over 25 
percent in 2004, and almost 34 percent in 2005. 

• There are over 56 million .com names registered as of the date of this testi- 
mony. That represents a 25 percent growth so far in 2006 and projects to 35 
percent growth for the year, to over 61 million .com domain names. 

• If .com just maintains a 34 percent growth rate over the life of the proposed 
agreement, it will grow to over 350 million domain names by the end of 2012. 

• As a result, the incremental revenue from the 7 percent price increases in 4 of 
the 6 years as allowed in the proposed agreements will provide VeriSign a wind- 
fall of over $1.8 billion. 
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• For example, if you go to www.GoDaddy.com and register the domain name 
www.ChairmanSmith.com, you would pay a meiximum of $8.95 per year for that 
domain name registration. Of that $8.95, by the current .com contract, $6.00 
goes to VeriSign, $.25 goes to ICANN as a transaction fee, and the balance of 
it goes to operating expenses and profit for Go Daddy. Taking this example fur- 
ther, if some portion of the current 56 million .com names are renewed, under 
the proposed agreement, $6.00 would still go to VeriSign, plus an automatic in- 
crease of 7 percent in 4 out of the next 6 years, an increase without price jus- 
tification. This is an extraordinary profit and these are just the renewals. 

Of course, that windfall will come at the expense of consumers. The increasing 
costs of .com will result in a leveling effect of .com retail prices. At the same time, 
it provides VeriSign a marketing fund of gigantic proportions in comparison to its 
so-called competitors. As a public company with a fiduciary responsibility to its 
shareholders, VeriSign will no doubt use these funds to market and innovate at a 
level with which other gTLDs will not be able to compete. Given the market power 
that .com continues to hold, allowing VeriSign this windfall is inappropriate for an 
organization committed to the promotion of competition. 

The form of presumptive renewal in the proposed .com agreement is also anti- 
competitive. It substantially allows a perpetual agreement unless VeriSign breaches 
its agreement and fails to cure. It even allows for repeated breaches with only mon- 
etary fines as the penalty. This form of renewal eliminates the possibility that .com 
could ever be re-bid to allow true market mechanisms to set the price for .com. It 
is important to note that when the .net contract was re-bid, it resulted in a price 
reduction of over 28 percent, from $6.00 per .net domain name to $3.50. a price ap- 
propriate to then existing market conditions. 

In addition, this form of presumptive renewal leaves no way ICANN can ever de- 
cide to re-bid .com based on VeriSign’s performance as a steward of the .com name 
space. Note the four conditions below (emphasis ours) under which ICANN could de- 
cide not to renew .com under Section 25. B of the current agreement. They no longer 
exist in the proposed COM agreement. 

Registry Operator shall be awarded a four-year renewal term unless ICANN dem- 
onstrates that: (a) Registry Operator is in material breach of this Registry Agree- 
ment, (b) Registry Operator has not provided and will not provide a substantial serv- 
ice to the Internet community in its performance under this Registry Agreement, (c) 
Registry Operator is not qualified to operate the Registry TLD during the renewal 
term, or (d) the maximum price for initial and renewal registrations proposed in the 
Renewal Proposal exceeds the price permitted under Section 22 of this Registry 
Agreement. 

Removing the above requirements is particularly alarming given that under the 
proposed agreement, VeriSign is not required to make infrastructure investments or 
demonstrate that such investments are being made. What are they going to do with 
the $1.8 billion windfall? How do they intend to accommodate the projected growth 
of the .com name space to over 350 million domain names, an increase of almost 
600 percent over the life of the proposed agreement? It is a serious mistake on the 
part of ICANN to not ensure that appropriate investments in infrastructure will be 
made, especially considering their overall mission of the security and stability of the 
Internet. The .com name space is too important to simply assume that a wide open 
presumptive renewal is enough incentive for the registry operator to make appro- 
priate investments. The proposed .com agreement must, therefore, be refined before 
it is approved by the NTIA. 

Future of New gTLDs 

We believe an effective and objective process for introducing new gTLDs is an- 
other important change that needs to take place to increase competition at the reg- 
istry level. In fact, that is one of the specific tasks set out in section II.C. of Amend- 
ment 6 of the Memorandum of Understanding under which ICANN currently oper- 
ates with the Department of Commerce: 

8. Continue the process of implementing new top level domains (TLDs), which 
process shall include consideration and evaluation of: 

a. The potential impact of new TLDs on the Internet root server system and 
Internet stability; 

b. The creation and implementation of selection criteria for new and existing 
TLD registries, including public explanation of the process, selection criteria, 
and the rationale for selection decisions; 

c. Potential consumer benefits/costs associated with establishing a competitive 
environment for TLD registries; and. 
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d. Recommendations from expert advisory panels, bodies, agencies, or organi- 
zations regarding economic, competition, trademark, and intellectual property 
issues. 

Define and implement a predictable strategy for selecting new TLDs using 
straightforward, transparent, and objective procedures that preserve the stability of 
the Internet (strategy development to be completed by September 30, 2004 and im- 
plementation to commence by December 31, 2004). 

A successful process for new gTLDs is an important element for introducing com- 
petition into the gTLD space. The trickle of new gTLDs we have seen so far has 
done little to change the market power that .com has maintained since before the 
initial publication of the DNS White Paper in 1998. 

The Policy Development Process that will ultimately recommend a process to ful- 
fill the principles stated in task 8 above was initiated by the Generic Names Sup- 
porting Organization (GNSO) early in December 2005. The current timeline calls for 
these recommendations to be presented to the ICANN Board of Directors at the end 
of this year, a hest case scenario. It will be well into 2007 before the evaluation of 
the success of any resultant process could even begin to be undertaken. 

We believe fulfillment of this task is crucial to the future of ICANN and believe 
it important not to complete the transition of the management of the Internet DNS 
until a successful and sustainable process for the introduction of new gTLD is firmly 
in place. 

Competition exists at the registrar level only. The .com name space continues to 
overwhelmingly dominate the gTLD domain name market. The anti-competitive 
form of registry agreements being contemplated by ICANN and the DOC could very 
well threaten existing competition even at the registrar level. Promoting competi- 
tion, and doing so successfully, needs to remain a core task for ICANN if it is to 
maintain the support of the public it has heen formed to benefit. 

Private, Bottom-Up Coordination, and Representation 

• The principles of private, bottom-up coordination, and representation cannot be 
fully realized without ICANN’s commitment to openness, transparency, and ac- 
countability. ICANN is responsible for an important public trust. To succeed, it 
is vital that all stakeholders have access to those processes; 

• Fully understand the reasons for ICANN’s decisions as a result of those proc- 
esses; 

• And have effective and unbiased recourse if they have reason to question those 
processes and decisions. 

Indeed, ICANN’s own bylaws state: “ICANN and its constituent bodies shall oper- 
ate to the maximum extent feasible in an open and transparent manner and con- 
sistent with procedures designed to ensure fairness,” and “In carr 3 dng out its mis- 
sion as set out in these Bylaws, ICANN should be accountable to the community 
for operating in a manner that is consistent with these Bylaws.” 

ICANN’s Articles of Incorporation state that ICANN is a nonprofit public benefit 
corporation and is not organized for the private gain of any person. As such. Direc- 
tors are bound in the bylaws to act in the best interests of that public benefit and 
to do so in an open and transparent manner. 

However, a number of examples over the last few years demonstrate the failure 
of the ICANN Board and Staff to follow through on these obligations. 

The .net Registry Agreement 

The registry agreement that resulted from the .net re-hid was executed by ICANN 
before the final draft was posted for public comment. This agreement represented 
a significant shift in ICANN’s policy regarding the management of the gTLD DNS 
and name space. The public that ICANN’s actions supposedly benefited cried out 
loud and hard about these policy changes without due process within the commu- 
nity. The community pointed out several problems with the agreement that they be- 
lieved benefited only the registry and ICANN’s corporate structure at the commu- 
nity’s expense. Ultimately, some minor compromises were agreed to hy the winning 
registry, and the ICANN Board publicly apologized and committed to do better. 

The .com Registry Agreement and Law Suit Settlement 

The ICANN Board’s idea of doing better was posting a notice that it had reached 
a settlement agreement with VeriSign to end a long-standing lawsuit. While it is 
true that ICANN posted the settlement agreement for public comment, there had 
been no prior indication of what ICANN was doing in this regard, or that it again 
was considering changes in long understood policy in order to settle the suit. In fact. 
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these policy changes were the exact same ones that the community had complained 
about in regards to the .net Registry Agreement. 

Once again, as this Committee well knows, the community that ICANN was sup- 
posedly benefiting by this settlement made its displeasure known loud and clear, 
especially in regards to the unexpected and early renewal of .com registry agree- 
ment that was part of the settlement. Ultimately, minor changes to the .com reg- 
istry agreement were agreed to by ICANN and VeriSign. These changes did little 
to address the overwhelming concerns of the Internet community. Once again, 
ICANN chose to benefit itself at the expense of the public as a whole. 

Other Registry Agreements 

Most recently, the ICANN Board posted proposed new agreements (not renewals) 
to the .biz, .info, and .org registry operator agreements. Once again, there was no 
prior notice that, despite the previous outrage expressed by the Internet community 
regarding the .com and .net agreements, the ICANN Board was going to implement 
the exact same policy changes in all new gTLD DNS and name space management 
agreements. This belies ICANN’s promise to do better and is in direct contravention 
to their obligation to operate an open and transparent manner. 

This fact is even more serious as it relates to these proposed new agreements. 
After the .net and .com agreement fiascos, the Generic Name Supporting Organiza- 
tion (GNSO), which was appointed by ICANN’s bylaws for the specific purpose of 
recommending policy regarding the gTLD DNS and name space, initiated a Policy 
Development Process (PDP) to address the concerns raised by the community. It 
now appears that the ICANN Board of Directors no longer believes it is bound by 
its own bylaws and is moving ahead without waiting for the outcome of the GNSO’s 
PDP findings. This is yet another poignant example of why the Department of Com- 
merce must maintain control over ICANN, even after the current Memorandum of 
Understanding expires on September 30, 2006. 

Lack of Appropriate Accountability and Review Mechanisms 

All of the above is exacerbated by the fact there are no appropriate accountability 
mechanisms in place to impartially review ICANN Board actions. There are cur- 
rently two accountability and review mechanisms defined in ICANN’s bylaws: 

• Reconsideration — This is basically the Board reviewing itself. The criteria the 
process calls for is restrictive and not useful for most instances where affected 
stakeholders question an action of the Board. In addition, the fact that tran- 
scripts or recordings of Board meetings have never been made available make 
it difficult if not impossible for those affected by Board actions to effectively 
evaluate whether their concerns or questions meet the criteria of the bylaws. 

• Independent Review — This mechanism is entirely untested and has never been 
used. 

We also invite you to visit ICANN’s website and see if you can discover how to 
take advantage of either of these accountability mechanisms. It is next to impossible 
to find anything of substance about how to file either a Reconsider Request or a Re- 
quest for Independent Review, or even who the Independent Review agent actually 
is. 

We believe there needs to be an independent evaluation of how these account- 
ability mechanisms have worked, or will work, and the implementation of any ad- 
justments recommended as a result of that evaluation should be undertaken before 
any final transition can be contemplated. 

'The interests and support of the community ICANN is supposed to benefit is 
shifting. The World Summit on the Information Society (WSIS) and the resultant 
Internet Governance Forum (IGF) is an outcome of that shift. These failures on the 
part of ICANN to adhere to the principles espoused in its own bylaws and Articles 
of Incorporation are accelerating that shift. It is clear that ICANN’s Memorandum 
of Understanding with the Department of Commerce must be extended and modi- 
fied. Openness and transparency are only hinted at in the current Memorandum of 
Understanding. We believe the Memorandum of Understanding should be revised to 
include openness and transparency as overall guiding principles if we are to ever 
see an effective transition of the Internet DNS management to the private sector 
through ICANN. 

Conclusion 

The future of ICANN rests with the public that it was formed to benefit. That 
community’s confidence in ICANN has been shaken by the lack of openness and 
transparency; by the apparent lack of the ICANN Board of Directors to be account- 
able to anyone but itself, and the giant step backward that is now being taken by 
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the introduction of anti-competitive registry agreements that threaten to undo what 
progress has been made. 

The Memorandum of Understanding between the Department of Commerce and 
ICANN should be extended and modified to stress the need to correct these defi- 
ciencies and require a clear roadmap from ICANN as to how it will regain the con- 
fidence of the community upon which its existence relies. 

Thank you again, Mr. Chairman, for the opportunity to be heard on these impor- 
tant issues. Your commitment, and the commitment of the members of this Com- 
mittee, to bringing attention to issues impacting the future of the Internet is sin- 
cerely appreciated. I would be happy to answer any questions you may have. 

The Chairman. Senator Smith is here, and I do want to yield the 
Chair to him. I’ve got to say that from my perspective, we ought 
to have a go-lightly approach, because I think the worse thing to 
happen to the Internet would be to have us start trying to regulate 
it from Congress. We have to find a way to assist, to make sure 
that the transparency and responsibility, and, really, antimonopoly 
concepts, are there for someone like the FTC or the Department of 
Commerce to make proper inquiries, and, if necessary, deal with it. 
But I don’t think we want to start a process of increasing regula- 
tion on the Net. 

I do agree, however, that we’ve got a real difficult problem, be- 
cause we’re just back from China, some of us, in August, and we’ve 
had some conversations over there about the Net and about the 
U.S. domination of the management of the Net. We have to find 
some way to take this to an international forum where we can get 
an agreement that this is a process that the governments of the 
world ought to keep their hands off, but ensure it will function 
through proper transparency and proper participation for all users. 
I don’t know how we’re going to walk down that road, but we’re 
going to continue to have an interest in, and pay attention to, and 
have hearings on, this matter to let more and more people express 
their points-of-view, and hopefully we might even work up a trip 
to go to meet with some of our counterparts in other governments, 
particularly in the very large governments, such as China and 
India and the very populated countries that want to have more of 
a role in how this process functions in their country. But it’s a very 
delicate issue, as far as I’m concerned. 

So, I’m happy to see you back, Mr. Chairman. 

STATEMENT OF HON. GORDON H. SMITH, 

U.S. SENATOR FROM OREGON 

Senator Smith [presiding]. Thank you very much. Chairman Ste- 
vens. And I apologize to all of you for an unavoidable emergency, 
but I’m glad to be here. 

The Chairman. Could I just do one thing? I’d like to place in the 
record, the Glossary of Internet Governance Terms and Organiza- 
tions that was prepared by our staff to help us understand the 
process we have here today. 

Thank you. 

[The information referred to follows:] 
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Glossary of Internet Governance Terms and Organizations 


ccTLD 

Country code Top Level 
Domain 

Two-letter long top-level domain (TLD) used and re- 
served for a country or a dependent territory (.uk 
for United Kingdom, .jp for Japan, etc.) 

DNS 

Domain Name System 

Translates domain names into IP addresses 

gTLD 

Generic Top Level Do- 
main 

TLD domains used worldwide, such as .com, .org, 
.net and .info 

ICT 

Information and Commu- 
nication Technology 

General term for the use of technology in managing 
and processing information, especially in large or- 
ganizations 

lANA 

Internet Assigned Num- 
bers Authority 

Operated by ICANN, oversees global IP address al- 
location, DNS root zone management, and other 
Internet protocol assignments. The technical side 
of ICANN is referred to as “the lANA function” 

ICANN 

Internet Corporation for 
Assigned Names and 
Numbers 

Oversees a number of Internet-related tasks, in- 
cluding managing the assignment of domain 
names and IP addresses, including the introduc- 
tion of new generic top-level domains 

IGF 

Internet Governance 

Forum 

Created at 2005 WSIS in Tunis. IGF’s first meeting 
is scheduled for October 2006 in Athens 

ITU 

International Tele- 
communications Union 

International organization within the U.N. where 
governments and the private sector coordinate 
global telecom networks and services; WSIS and 
IGF (see below) fall under ITU’s purview 

NGO 

Non Governmental Orga- 
nization 

Group or association that acts outside of institu- 
tionalized political structures and pursues mat- 
ters of interest to its members 

NTIA 

National Telecommuni- 
cations and Information 
Administration 

Agency of the Department of Commerce serving as 
principal adviser on telecommunications policies, 
including economic and technological advance- 
ment 

Registrar 


A body recognized by a registry to sell/register do- 
main names (GoDaddy, AfterNic, eNom, etc.) 

Registry 


A company or organization maintaining a central- 
ized database for the TLDs or for some IP ad- 
dress blocks 

WGIG 

Working Group on Inter- 
net Governance 

U.N. working group set up after 2003 WSIS in Ge- 
neva to make proposals for Internet governance 
at the 2005 WSIS in Tunis 

WHOIS 


Method of querying a registry or registrar database 
to determine the owner of domain name 

WSIS 

World Summit on Infor- 
mation Society 

A series of meetings on information and commu- 
nications, including Internet governance, under 
the purview of the lU and UN 


Senator Smith. Thank you, sir. 

Senator Burns? 

Senator Burns. Thank you, Mr. Chairman. 
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Dr. Twomey, you have a Working Group on Internet Governance 
here from the U.N. What kind of a group is this, and what stand- 
ing does it have with regard to ICANN? 

Dr. Twomey. Thank you, Senator. Good to see you again. 

Senator Burns. Good to see you. 

Dr. Twomey. That working group has actually completed its 
work. It was an input to the U.N.’s World Summit on Information 
Society. It, also, has finished its work. The implications for ICANN 
have not been anything significant, in terms of the need to change, 
although you and Senator Stevens have pointed out the inter- 
national interests, obviously, in some of these areas. 

The U.N. continues to run a — what’s called the Internet Govern- 
ance Forum. It’s basically, a meeting point for discussion. But, in 
terms of ICANN’s own operations now, there is — although this is 
an ongoing area for monitoring, they don’t have direct effect at all. 

Senator Burns. In other words, they don’t have any official 
standing with ICANN, then. 

Dr. Twomey. No. 

Senator Burns. And we heard, in the testimony of Ms. Jones, of 
the 5-day waiting period. Are you doing anything to address that? 
I guess it caused — some problems are created by that grace period. 
Can you address that situation and bring us up — tell us, kind of, 
what it is and how it affects your operation. 

Dr. Twomey. Senator, you’re pointing out there’s a — with the 
registries, some of them have agreements — well, they have agree- 
ments with registrars which allow for the registration of a name, 
but not for the payment of that name, within — for a 5-day period. 
And there is an emerging pattern of people putting names in, in 
day one, and seeing whether there’s any value in those names, par- 
ticularly for online advertising, by day five. If there’s not, they keep 
it — if there is, they keep it; if it’s not, they give it back. There are 
some aspects about this that our compliance people are actually 
looking into, but there are also aspects about this which are part 
of the market operating. 

Senator Burns. Do you want to comment on that, Ms. Jones? 

Ms. Jones. Well, we have provided, upon ICANN’s specific re- 
quest, detailed information about registrars who are engaged in the 
practice of purchasing — or registering domain names and then de- 
leting them before the 5-day grace period expires. 

Senator Burns. Is that term — that’s “tasting”? 

Ms. Jones. We would call that “domain-name kiting.” 

Senator Burns. Kiting? 

Ms. Jones. Yes. So, it would be like “check kiting,” but only with 
a domain name, where you register it and then you get a refund 
before the 5-day grace period ends, so you never have to pay for 
it, essentially. We’ve provided information, and they’ve assured us 
that they would investigate further, to the openness and trans- 
parency discussion that we had earlier. We haven’t heard anything 
back from them. 

We would like for the whole entire practice to be eliminated. It 
does appear to be, at least in spirit, a violation of the contract that 
registrars have as a part of their accreditation. 

Senator Burns. What is the cost of that registrar? What does it 
cost? 
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Ms. Jones. Well, for example, with a dot-com name, it would cost 
$6 to register the name, and then you would get the entire $6 back 
when you cancel the registration within that 5-day period. So, it 
wouldn’t cost you anything. And that’s the insidious part of the 
whole practice, is that basically you’re using domain names, and 
taking them away from other legitimate users, without paying for 
them. 

Senator Burns. OK. I guess — maybe the next question — Dr. 
Twomey said — can you justify doubling your budget in the last 5 
years? 

Dr. Twomey. Well, let me just — to the point just made. Senator, 
I have confirmed, personally, with the CEO of Go Daddy, that we 
are investigating this, and we will investigate this particular thing 
you just referred to 

Senator Burns. OK. 

Dr. Twomey. — in — within our compliance terms. 

To come to your point about budget, the demands on — for the co- 
ordination of the DNS to do the sorts of compliance work we’re 
talking about just in this conversation, to do many of the things 
that Christine has already raised, and to be able to support the 
large growth of the DNS, has — does require additional resources. 
We have moved to increase that budget. That budget process is 
done. Senator, through a very bottom-up process. We have a proc- 
ess of — where we have a strategic plan that the community devel- 
ops. Behind that strategic plan, we then develop — there’s an oper- 
ational plan the community all responds on, project by project, and, 
at the end of that process, it’s actually then calculated how much 
does it cost us to do all these things the community wants us to 
do? And that’s the process which has actually driven the increase 
in the budget, as a reaction back to the things that people want 
to do. 

The budget is not a huge amount of money. For this coming fi- 
nancial year, it is budgeted for about $33 million. So, that’s for the 
coordination of all of these factors coming out of that community 
process. 

I’m very, very conscious of the need for accountability on that, 
and for transparency, and we do have, I think, a very accountable 
and transparent process. I wonder if I might just comment on that. 

One of the things that I’m very conscious of, as the President of 
ICANN, is, I think, as an organization, we are actually very trans- 
parent. But, at the moment, we’re suffering a little bit of being 
transparent, like credit card agreements are transparent — every- 
thing’s there, but it’s not necessarily easy for people to understand 
what’s there. And I think that’s one of our great tasks, going for- 
ward. We need to make it not only transparent, but more easy for 
people to understand what’s in the material and what’s being put 
forward. And that’s one of our very high priorities this coming year. 

So, there’s a distinction, I think, between being transparent and 
being accessible, and accessibility is one of our challenges, at the 
moment. 

Senator Burns. Well, it seems to me that the matter of trans- 
parency has surfaced here, and I guess that would — I could follow- 
up — the leverage that the registrars have with regard to the proc- 



40 


ess of ICANN and also with regard to their budget, do they have 
any leverage in that? 

Dr. Twomey. Well, Senator, it’s a good question. The registrars, 
2 years ago — well, 18 months ago — constituted the — by far, the 
greatest contribution to the ICANN budget. And, at the time, they 
themselves asked us to make an effort to rebalance their contribu- 
tion to ensure that the registrees made more contributions. So, in 
the discussions with the registrees concerning their contracts, we 
have actually moved to change the financial flow so that there is 
more contribution, then, from the registrees. We have frozen any 
increases from the registrars on any sort of per-transaction basis, 
and, indeed, we’d look at — they’ve got proposals in front of us of 
being able to change that and amend it, and we are open to alter- 
native sources of revenue. If the registrars put forward to us dif- 
ferent views, we’d decrease their contributions further, as well. So, 
we are very open to their input about ensuring we have a widely 
balanced budget and sources of revenue, and we’ve been working 
toward that, quite specifically. 

The registry agreements, including the dot-com agreement, have 
terms in there specifically coming out of that conversation, to shift 
the balance of contribution. 

Senator Burns. Thank you, Mr. Chairman. 

The Chairman. Mr. Chairman, if I may 

Senator Smith. Yes, of course. 

The Chairman. For your information. I’ve just had a discussion 
with Senator Smith. You know, at times we run into subjects we 
need to know a lot more about. And we’ve had a little habit of call- 
ing just for listening sessions. I think, assuming the management 
doesn’t change around here after this new period we’re going to go 
through here 

[Laughter.] 

The Chairman. — I would want to hold a listening session and get 
people to come in and just tell us what their function is and how 
they view this arrangement, and how much they think we ought 
to be involved, or ought not to be involved. We ought to do some 
listening on this one before we really react. 

Ms. Jones, I appreciate your comments, and I’m sure that Dr. 
Twomey wants to have some counter-comments. But we used that 
process in approaching the communications bill, and it worked very 
well. And I would like to hold a listening session early next year, 
if that’s agreeable to you, Mr. Chairman. 

Senator Smith. Yes, I would heartily agree with that as a need, 
and certainly, I think we should consult Chairman-in-waiting, Sen- 
ator Pryor. 

[Laughter.] 

Senator Smith. But obviously it’s the kind of thing that we all 
look for more knowledge on. 

The Chairman. Well, I have a feeling Senator Inouye would 
agree. 

Thank you very much. I must go to another meeting. 

Senator Smith. OK. Thank you. Senator. 

Senator Pryor? 

Senator Pryor. Thank you, Mr. Chairman. 
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Dr. Twomey — is that how you pronounce your name — Twomey? 
I would like to — I don’t know if you heard my last series of ques- 
tions with the previous panel, but I’d like to ask you about the dot- 
XXX domain. And I would like to understand what happened. You 
know, my impression was that dot-xxx had a lot of support, that 
a lot of folks here in this country and around the world thought 
it was a good idea, could be a good development. But it didn’t hap- 
pen. So, I’d like to hear ICANN’s version of the facts there and 
what happened. 

Dr. Twomey. Senator, ICANN put out, as part of the process for 
introducing more competition among the gTLD space, a round of 
so-called “sponsored top-level domains,” top-level domains that are 
sponsored by a community or a particular grouping for the use of 
their own community. We received ten applications. One of those 
applications was for dot-xxx for the community of responsible 
adult-content providers, as they put it. That — our processes of — in- 
cluded the posting of these agreements, the posting of the com- 
ments, and allowed for a lot of public comment on those consulta- 
tions. It also allows for comments from our various supporting or- 
ganizations, and, very importantly, allows for — in our bylaws, for 
the advice of public — for the provision of public policy advice from 
the Governmental Advisory Committee on which there are over a 
hundred governments participating. 

As the process continued with those various registries, particu- 
larly dot-xxx, we received a lot of public comments. We received, 
I would say, over 100,000 comments from various — online com- 
ments from various members of different associations in the United 
States against the dot-xxx. We received various comments from 
people in favor of it. And we did receive requests from govern- 
ments — not just the United States, but a number of other govern- 
ments — asking for more time to allow governments to consider the 
implications of the application. We had a meeting in March this 
year in Wellington, New Zealand, and in that meeting the Govern- 
mental Advisory Committee put forward some advice concerning 
public-policy issues. 

The Board eventually made a decision based on a number of 
issues that — the reasons for those decisions were made public for 
each of the Board Members. It’s not one comprehensive set of rea- 
sons. But not in a majority — not in a unanimous sense, but in a 
majority sense, most of the Board Members decided that the con- 
tract, as put before us by the applicant — and at the time when the 
applicant asked us, the applicant not only put forward to us a re- 
draft of the contract, but said, “Please vote on this now” — the ma- 
jority of the board, on the basis of that contract, felt that they could 
not proceed, a number of us feeling that some of the provisions in 
the contract were not enforceable. 

So, that’s the sort of formal status of the process that was fol- 
lowed. It has a lot to do with the nature of the contractual lan- 
guage put forward by the applicant, and a lot to do with the timing 
of the request for actually proceeding with that vote. 

Senator Pryor. Well, that may actually go to Senator Stevens’ 
previous point about, maybe we need to know more about this. And 
maybe this also illustrates one of the problems, at least from the 
outside looking in, with ICANN, is that there’s not a lot of trans- 
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parency there, and — at least that’s the perception. And you all go 
through this process, and you’re in New Zealand, and you make 
this decision, and I guess I don’t know what it means that parts 
of the contract are not enforceahle. What does that mean, “parts of 
the contract are not enforceahle”? 

Dr. Twomey. There were aspects of the contract language that 
was put forward that some Members of the Board — and I should 
let the record speak for itself. Senator. I mean, I — the Senate — the 
record of the ICANN Board meeting is available publicly, and the 
decision was available publicly. And the actual wordings of indi- 
vidual Board Members on their rationale for decisionmaking is 
there, available. I — and they felt that certain parts of the — being 
able to — certain language related to enforcing all public — all rel- 
evant public policy from all relevant countries was, sort of, lan- 
guage that some of them found it difficult to consider that was en- 
forceable under the contract. I give that as an example, but I 
should point back to the record. We actually — and we can — I can — 
I’m happy to come back to you in writing to point out the — that 
record, point out the reasons given by the Board Members who 
were voting. 

Senator Pryor. Yes, I’d like for you to do that. 

[The documents from the March 25-31, 2006 meeting in Wel- 
lington, New Zealand are available at http:! I www.icann.org leni 
meetings / Wellington / ]. 

You said that you had about 100,000 negative responses from in- 
side the U.S. Do you know, were those generated by groups or were 
those just 

Dr. Twomey. They were generated by groups, the — groups like 
the American Family Association and others. 

Senator Pryor. OK. And apparently some asked for more time, 
as well. Has ICANN decided to give this more time, or have you 
just — is this a flat rejection? 

Dr. Twomey. There was extensive period of time additionally 
given to this particular application, at that request. And we’re — it 
was the applicant who, themselves, said, “Please move forward 
with this vote. Please, we’d like you to move it to the vote now and 
make a decision, one way or the other,” when that decision was 
made. 

Senator Pryor. Has there been any follow-up with the applicant 
to see if they want to make another run at this? 

Dr. Twomey. The applicant has — the process is not completed, 
because we do have two rounds of — two processes for review avail- 
able to the applicant, both a review committee of the Board and 
then an independent review panel, an independent arbitrator. 

Senator Pryor. Have that 

Dr. Twomey. And then 

Senator Pryor. Has the applicant requested review? 

Dr. Twomey. They have requested — they have requested a re- 
view — the review is underway — but those two mechanisms are still 
available to the applicant. 

Senator Pryor. OK. 

Mr. Chairman, that’s all I have right now. I may have some more 
in writing, but I know we’re trying to get to a vote here in a few 
minutes. 
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Senator Smith. Well, thank you very much, Senator Pryor. And 
I’ll also have some written questions, because of the vote. 

But I do want to ask one, and if you can answer as briefly as 
possible so I can hear your answers, I would appreciate it. As you 
all know, in 2005 the current dot-com registry operator won a com- 
petitive bid process to continue to operate the dot-net domain reg- 
istry. And, with that, the prices have fallen, or at least, for dot-net, 
dropped from $6 to 3.50 through the end of 2006. At the same time, 
lots of security measures, I believe, have been put into the system 
including infrastructure investments. The competitive model 
seemed to work in dot-net, but now, the proposed dot-com registry 
contract apparently removes all of that and puts in automatic price 
increases. And I’m just wondering if that’s defensible, if that’s the 
right thing. 

Dr. Twomey. Senator, I assume that question is to myself, but 
I’ll make two observations. I think you’re actually confusing two 
agreements. The dot-net agreement is the one you’re referring to, 
which 

Senator Smith. Correct. 

Dr. Twomey. All right. The dot-com agreement — if your question 
is going to the question of rebidding — the dot-com agreement proc- 
ess of whether it could be rebid or not was decided in 2000 and 
2001 by discussions by then-ICANN Board Members, the DOC, and 
VeriSign, and that was a whole set of discussions involving, if you 
like, breaking up the control that VeriSign had on dot-com, dot-net, 
and dot-org, where dot-org was rebid so that VeriSign could not 
rebid, dot-net was rewritten such that dot-net could be rebid and 
VeriSign could be one of the bidders, and dot-com was agreed 
would continue under dot-com’s — under VeriSign’s control. That 
was actually in the 2001 contract. 

As the contracts come up for renewal or rediscussion now, the 
ICANN Board does not have any legal freedom to be able to change 
the provision that was in the — already agreed in the 2001 set of ar- 
rangements agreed with the Department of Commerce, VeriSign, 
and the then-ICANN Board. So, the point you’re — the point 
you’re — it’s just to distinguish between those two contracts. 

Senator Smith. Correct. Well, thank you for that. 

I guess the question that a lot of people are asking now, though, 
is, what’s wrong with bidding out the dot-com? And why not let 
VeriSign win it, if they can, with a competitive bid? 

Dr. Twomey. Well, apart from the question that — the legal dif- 
ficulties that we have already under contract, with that particular 
question, I think there’s a second question that the ICANN Board 
is taking very seriously about its responsibilities for both competi- 
tion and also security and stability. The introduction of new 
gTLDs, introduction of new TLDs available to compete with dot- 
com, we think, is a very important part of implementing competi- 
tion. The second point we should make very clear is the introduc- 
tion of new registrars has been a key part of the competition for 
registrants. We now have nearly 800 registrars, and it’s the com- 
petition amongst registrars that have reduced prices significantly 
to the end users. 

Indeed, the changes in pricing we saw in dot-net have not, on the 
whole, been passed through to registrants. The registrars them- 
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selves have taken the benefit of those price reductions, not the reg- 
istrants. And that’s the nature of the structure of the market, with 
registrars traditionally competing separately. 

So, the question of competition, we think, is very much about an 
introduction of new gTLDs. The Board has also thought very care- 
fully about the position put to the — by the various registries of 
their need for certainty for capital investment, for the sorts of in- 
vestments that security and other demands are making upon them. 
And while the board has not moved to reduce the provisions in the 
contract which allow us to intervene in the case of people breaching 
security arrangements and being able to move against them, the 
board has come down, on balance, to say there is — they are per- 
suaded by the need to have certainty for capital investment as 
being an important part of ensuring security and stability. 

Senator Smith. And is that what justifies the automatic price in- 
creases? 

Dr. Twomey. Well, that’s what’s justifying the renewals. 

Ms. Jones. Mr. Chairman, may I be heard briefly on that point? 

Senator Smith. Yes. 

Ms. Jones. I’m happy to hear the commitment to additional in- 
frastructure spending, but I think the point is, if there is going to 
be a presumptive renewal and an automatic price increase built 
into this contract, there should be some price justification. And to 
your point about the dot-net agreement, when that was competi- 
tively bid, the price didn’t increase by 7 percent, the price de- 
creased. And that goes to a lot of reasons, not just because of econo- 
mies of scale, but also because what we’re talking about are com- 
modity products — ^bandwidth and hosting and all of the things that 
all of us buy and all of us have to spend money on. We do it, too, 
with our system and our networks. The costs of all of it — ^you 
know — because when you buy a laptop today it costs you one-tenth 
of what it cost 10 years ago. Prices go down. And so, put aside for 
a minute the economies of scale, because we know that VeriSign 
built this huge system that’s magnificently scalable, and we all ad- 
mire them for it. Put that aside for a minute. Even if we didn’t 
take that into consideration, we still know that commodity pricing 
goes down. And so, there is simply no reason, that we can see, to 
build in a price increase; and if they’re going to build in a price in- 
crease, tell us why. 

Senator Smith. What’s the justification? 

Ms. Jones. Why do you need the price increase, and why is it 
so difficult to say it? 

Senator Smith. I mean, you’ve said my question better than I 
did. But, I mean. I’ve been in the commodity business, myself, and, 
frankly, economies of scale and commodity pricing, such that where 
there is competition, it doesn’t warrant these kinds of increases. 
But, Mr. Silva, maybe you have another view of that. 

Mr. Silva. Senator, I’d like to follow up on that, if I may. 

Ms. Jones is a very good attorney, and she’s representing her cli- 
ent very well. OK? But she’s not a technologist. OK? We’re not 
talking about commodity hardware here. OK? We’re talking about 
massively scalable databases. OK? These are very complex. Moving 
data in a disaster-recovery scenario from one place to another is 
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significantly more complicated in a database that size. Significantly 
more. 

So, dot-net prices did go down during the rebid process. It’s a dif- 
ferent animal. It’s a much smaller zone. It’s a much smaller prob- 
lem, quite frankly. OK? 

Now, I will point out that consumers never saw one red cent of 
that reduction in price. OK? Registrars maintained the same prices 
that they were before the price reduction from the registry. 

Now, let’s — so, first of all, there’s no automatic price increase at 
7 percent. OK? What there is, is the possibility of a price increased 
based on the security and stability needs that we have at the time. 
So, let me 

Senator Smith. And who will approve the increase? 

Mr. Silva. Well — OK, so there is the — all right, so let’s think 
about what happened prior to Katrina. OK? The Army Corps of En- 
gineers, for a number of years, attempted to justify cost increases 
to reinforce the levees around New Orleans. OK? For a number of 
years. Sometimes they got some funding, sometimes they didn’t, 
but they probably never got all of the funding that they wanted. 

Now, when a hurricane started forming out in the tropics, and 
started heading in that direction — OK? — they probably would have 
gotten all the funding that they wanted at that time. The problem 
is, it would have been too late. OK? 

We constantly probe and penetrate our systems, and know where 
their weaknesses are, know where their scalability is, and know 
where it’s about to fail. We know better than anyone when we have 
to make that investment, sometimes 3 or 4 years out. Sometimes 
it has to be made in 6 months, sometimes it has to be made in 3 
months. OK? 

So, there are also consensus policies that are built into the agree- 
ment — OK? — which continually change the raising of the bar for 
the security standards. OK? This is a very fluid requirement. And 
if we take — for example, 2 years ago, when I worked on the NRIC 
Council, OK, on cybersecurity, we made 150 recommendations for 
what companies ought to do to reinforce cybersecurity. The fol- 
lowing year, we made 250. OK? We will never know, at any snap- 
shot in time, what that number’s going to be, or what it’s going to 
equate to. But we have increased capacity 10,000 times. We have 
10,000 times the capacity today that we had in 2000. OK? And that 
still is not enough. OK? And I can’t predict to you what it’s going 
to be in 2012. OK? But in terms of cost justification — OK? — this is 
really — this really boils down to security and stability. When we 
need to spend the money, we need to spend the money. OK? And 
we can’t go to our competitors and ask them for permission to 
spend it. 

Senator Smith. Well, please be clear. I’m not saying the price in- 
crease is justified or not. I’m simply inquiring, because I want to 
make the point to you that this is one of the areas of concern. Usu- 
ally when you have just one provider, you have a potential monop- 
oly, and that requires regulation. I’m not a regulator. 

Mr. Silva. Right. 

Senator Smith. But I am saying that with a monopoly, without 
regulation, there has got to be some sort of market test, and I 
think people are going to be looking to you to justify these levels 
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of increases. And it may be entirely warranted. I’m not making a 
judgment on that. But it is an area of real concern. 

Mr. Silva. Right. So, I think, in this particular case — OK? — that 
is what is built into the agreement, is a cap on the amount that 
they can, in fact, be raised. OK? So, for 7 years they weren’t raised 
at all. OK? Not at all. OK? Even though the number of registra- 
tions grew at a specific rate — OK? — the threats and the volume of 
traffic that we see, just in normal traffic — OK? — security issues 
aside, the security issues are so phenomenally higher, in terms of 
the volume of activity that we see, over what we register as new 
names — OK? — 6 months ago — or, excuse me — so, 8 months ago, I 
would have told you that, yes, you know, it’s perfectly reasonable, 
we could probably forecast out a couple of years what we would 
need. And then all of a sudden January came, and we got hit with 
an attack ten times larger than anything we would have expected. 
And I can tell you right now that when I briefed the Department 
of Homeland Security, and when I held a classified briefing with 
the Senate Intelligence Committee on exactly what this threat 
meant, not only to our system, but to their systems — OK? — they 
took this very seriously. National Infrastructure Protection Plan 
calls for private industry to make significant investments where 
they control critical infrastructure. We plan on making those crit- 
ical investments. And basically that’s what these provisions are for, 
so that when all of a sudden Windows Vista™ comes out — and ex- 
perts have said that that could as much as double the amount of 
DNS traffic — we’re able to respond to it in a timely fashion. 

Senator Smith. I wish we had more time to go on with this, but 
I’m going to miss a vote if I don’t adjourn this hearing. I, again, 
apologize for my delay, and I thank my colleagues for proceeding, 
out of respect for your time. We thank you for your contribution to 
this hearing. And we have more to learn and more to do, because 
this is an enormously important topic. 

So, with that, we thank you and we’re adjourned. 

[Whereupon, at 11:30 a.m., the hearing was adjourned.] 



APPENDIX 


Prepared Statement of Hon. Gordon H. Smith, U.S. Senator from Oregon 

I call to order this hearing of the Senate Subcommittee on Trade, Tourism, and 
Economic Development. 

Today’s hearing considers Internet governance and the future of ICANN. 

In 1997, the Secretary of Commerce was directed by the President to privatize the 
management of the domain name system in a manner that increases competition 
and facilitates international participation in its management. 

Soon thereafter the Department of Commerce signed an official Memorandum of 
Understanding recognizing ICANN — the Internet Corporation for the Assignment of 
Names and Numbers, as the new, not-for-profit corporation to manage the domain 
name system. 

Under the terms of the MOU, ICANN has the authority to: 

1. Set policy for, and direct the allocation of, the IP addresses that underlie 
each domain name. 

2. Oversee the operation of an authoritative root server system, 

3. Set the policies for determining how new top level domains would be added 
to the root system; and 

4. Coordinate the assignment of the Internet technical parameters needed to 
maintain the universal connectivity of the Internet. 

The MOU between the Department of Commerce and ICANN expires on Sep- 
tember 30, 2006 among controversy in the international community. 

Some are suggesting that no single government should have a preeminent role in 
relation to the Internet and are calling for further internationalization of Internet 
governance. 

This would be a mistake. The current system for management of the domain 
name system works. The Secretary of Commerce should maintain oversight of 
ICANN so that ICANN can continue to manage the day-to-day operation of the 
Internet’s domain name and addressing system and remain responsive to all Inter- 
net stakeholders worldwide. 

Today’s hearing will examine the management and governance of ICANN, includ- 
ing the future of the Domain Name System, recent concerns expressed regarding the 
current ICANN-VeriSign settlement agreement, and privacy issues surrounding the 
“WHOIS” database. 

I thank all of our witnesses for rearranging their schedules to appear before the 
Subcommittee and look forward to your testimony. 


Response to Written Questions Submitted by Hon. Daniel K. Inouye to 

John M.R. Kneuer 

Question 1. As part of the settlement of a long-running dispute between ICANN 
and VeriSign, the ICANN Board of Directors approved a new dot-corn agreement 
with VeriSign. Under this settlement, VeriSign will be in charge of the dot-com reg- 
istry until 2012 (with a presumption that the agreement will be renewed beyond 
that date), and will be able to raise domain registration fees by 7 percent in four 
of the next 6 years. Critics of the settlement assert that the agreement is anti- 
competitive, giving VeriSign a virtually permanent monopoly over the lucrative dot- 
com registry, while also enabling VeriSign to raise registration fees without jus- 
tification. 

Many critics of the settlement agreement argue that the presumptive renewal 
clause would allow VeriSign to hold on to the dot-com registry in perpetuity. How 
do you see ICANN holding the registry operator accountable without the strong le- 
verage of awarding the contract to a competing operator? 

( 47 ) 
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Answer. Over the course of the past 6 months, I and other Commerce Department 
officials have met with a number of interested stakeholders including registrars, 
Internet service providers, and search engine companies with interests in or con- 
cerns about the .com Registry Agreement. The concerns have largely focused on the 
impact on competition of the proposed price increase for registrations permitted by 
the new agreement and the terms for future renewals of the new .com Registry 
Agreement. The Commerce Department has sought the advice of the Antitrust Divi- 
sion of the Justice Department on the competition concerns raised. 

It is also important to note that other interested stakeholders have advocated that 
the renewal terms of the proposed agreement benefit the security and stability of 
the Internet domain name system. We have also consulted with those Federal agen- 
cies with expertise in the areas of security and stability on this matter. 

Based on the information that we have gathered, I am confident that any decision 
made by the Department will appropriately balance all of these interests to ensure 
the continued stability and security of the Internet domain name system and of pro- 
moting the consumer benefits of a competitive marketplace. 

Question 2. One of ICANN’s primary missions is to promote competition. How 
does a presumptive renewal clause promote competition? 

Answer. As noted above, the Department is reviewing the proposed new agree- 
ment in its entirety to ensure both the continued stability and security of the Inter- 
net domain name system and of promoting the consumer benefits of a competitive 
marketplace. 

Question 3. Cybersecurity is a critical mission that all organizations struggle with. 
How can ICANN ensure that the registry operators are making the necessary secu- 
rity enhancements to guarantee the stability of the domain name system? How can 
ICANN hold a registry operator accountable? 

Answer. Cybersecurity standards are developed by various industry organizations, 
such as the Internet Engineering Task Force (IETF), ISO, and IEEE, and adherence 
to the various standards is voluntary for the most part. While ICANN is not a 
standards organization, it promotes the adoption of industry standards through its 
agreements with registry operators to comply with these standards. Registry agree- 
ments address the technical performance obligations, including compliance with the 
various industry-developed standards, security requirements and outage reporting 
that all registry operators must meet. In addition each registry agreement contains 
a service level agreement which clearly sets forth the registry operator’s obligation 
for failure to meet the technical performance specifications. 

Question 4. Assuming that NTIA approves the settlement agreement, what mech- 
anisms would ICANN have available to ensure that it has meaningful control over 
the service quality or conduct of registry operators? 

Answer. Like any commercial agreement between private sector parties, the pro- 
posed new .com Registry Agreement contains enforcement provisions. It also con- 
tains quality of service commitments that ICANN can enforce under the terms of 
the agreement. 

Question 5. The settlement agreement allows VeriSign to raise domain registra- 
tion fees by 7 percent in four out of 6 years without having to provide a justification. 
Do you believe that a registry operator should be required to publicly justify any 
price increases? 

If no — Why not? Doesn’t a registry operator enjoy a monopoly over the pricing for 
a specific top-level domain? 

If yes — What concerns do you have with the VeriSign settlement that would allow 
it to increase prices by 7 percent four out of 6 years without having to provide a 
justification? How is such a clause not anticompetitive? 

Answer. The domain name marketplace is not a regulated one. Prices are set 
based on negotiations between private sector parties. The price cap for .com reg- 
istrations and price adjustments permitted under the proposed new .com Registry 
Agreement were negotiated by ICANN and VeriSign. 

Nevertheless, the Commerce Department is aware of the concerns raised pri- 
marily by the registrar community about the impact of a price increase on their in- 
dustry. We have been in consultation with the Antitrust Division on this issue and 
will be guided by its advice in any final decision the Department makes. 

Question 6. Do you think it is reasonable for a registry operator to explain to 
ICANN their reasons for a price increase, and then have ICANN approve or reject 
such a proposal accordingly? 

What criteria is used to evaluate price increases? Specifically, under what cir- 
cumstances would an automatic price increase without justification be acceptable? 

Answer. As noted above, the domain name marketplace is not a regulated one. 
Prices are set based on negotiations between private sector parties. To introduce 
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government price regulation would be a significant departure from the status quo 
and massive introduction of government regulations that does not currently exist 
into a private marketplace. 

Question 7. I understand the Department of Justice’s Antitrust Division was 
asked to review the settlement agreement. Can you share with us the Division’s con- 
cerns? How are these concerns being addressed? Were there recommendations or 
suggestions made that are not being implemented or considered? 

Answer. During its review of the proposed new .com Registry Agreement, the 
Commerce Department has sought the advice of the Antitrust Division of the Justice 
Department regarding the impact on competition of the proposed price increase for 
registrations permitted by the new agreement and the terms for future renewals of 
the revised new .com Registry Agreement. The Antitrust Division has been gath- 
ering information from the parties, interested stakeholders, and others on these 
issues, to provide its analysis and advice to the Department on any competition 
issues that may be raised by the proposed agreement. We expect to rely on this ad- 
vice to evaluate the potential impact on competition of this agreement. 

Question 8. Are you open to bringing together the different stakeholders in order 
to arrive at a solution that will satisfy the different parties and still ensure the pro- 
motion of competition? 

Answer. In addition to its consultation with the Department of Justice’s Antitrust 
Division regarding the competition issues raised by the proposed new .com Registry 
Agreement, I and other Commerce Department and Antitrust Division officials have 
met with a number of interested stakeholders, including registrars, Internet service 
providers, search engine companies, among others, with interests in or concerns 
about the agreement. The Commerce Department has also heard from a number of 
stakeholders advocating the benefits of the new agreement for the security and sta- 
bility of the Internet domain name system. We have also heard from Members of 
Congress on both sides of the issue. Commerce Department and Antitrust Division 
officials have been gathering information from proponents and opponents of the 
agreement and I am confident that this information will be taken into consideration 
in any final decision that is made. 

Question 9. Transparency has long been a concern with ICANN. Many critics 
argue that the ICANN Board operates behind closed doors, even though the organi- 
zation is charged with developing consensus through a “bottom-up” approach. Can 
you comment on ICANN’s transparency issues? How has this improved over the 
years? How can the organization continue to improve? 

Answer. The Department has long considered transparency to be a fundamental 
principle to ICANN’s overall mission and function. The current Memorandum of Un- 
derstanding (MOU) was structured to ensure that ICANN becomes a sufficiently 
stable, transparent, representative, and sustainable management organization capa- 
ble of handling the important tasks associated with the technical management of 
the Internet domain name system into the future. This MOU also contains specific 
provisions intended to improve transparency, efficiency, and timeliness in the con- 
sideration and adoption of policies. While ICANN has made several improvements 
in its decisionmaking and policy development processes, as well as in internal re- 
views and evaluations of these processes, I believe ICANN is mindful of the need 
for continual improvement. The Department’s recent public consultation process has 
revealed strong support from a majority of interested stakeholders for a more spe- 
cific focus on transparency and accountability in ICANN’s internal procedures and 
decision-making processes. 

Question 10. The ICANN Board has proposed new contract agreements for the op- 
erators of dot-biz, dot-info, and dot-org. The contracts for dot-biz and dot-info are 
not up for renewal until next year and dot-org isn’t to be renewed until 2009. The 
public was not aware that negotiations were taking place until ICANN posted the 
proposed agreements for public comment. Can you comment on ICANN’s trans- 
parency in developing the proposed agreements for the dot-biz, dot-info, and dot-org 
top-level domains (TLDs)? 

One element of the newest proposal is to allow for differential pricing of domain 
names. Can you explain the public policy rationale behind allowing a registry to 
apply a differential pricing scheme for specific domain names? 

Is there concern that a registry could limit free speech by charging an unreason- 
able fee to register a domain name critical of political party, public figure, or issue? 

Answer. The proposed new registry agreements for the .biz, .org, and .info top 
level domains are commercial agreements between private sector parties. As I un- 
derstand it, under the terms of the existing agreements, the parties can mutually 
agree to amend or enter into new agreements. The Department of Commerce has 
not examined the pricing provisions of these agreements. ICANN has posted all 
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three agreements for comments from interested stakeholders. I expect ICANN will 
fully consider the interests of all interested stakeholders as it negotiates these 
agreements. 

Question 11. Last year NTIA urged ICANN to reject the creation of a dot-xxx top 
level domain. Under pressure from the U.S. Government, and much to the con- 
sternation of the international community as a result, ICANN ultimately rejected 
the dot-xxx domain. Can you describe NTIA’s involvement in rejecting the creation 
of a dot-xxx top level domain? 

Answer. In June 2005, the ICANN Board of Directors approved the initiation of 
negotiations between ICANN staff and ICM Registry, the applicant for the .xxx do- 
main. Beginning in July 2005, ICANN’s Governmental Advisory Committee (GAC) 
began to raise questions regarding the procedure followed by the Board in reviewing 
the application and its rationale for entering into contract negotiations. On August 
11, 2005, then-NTIA Assistant Secretary Michael D. Gallagher sent a letter to 
ICANN’s Chairman of the Board requesting that ICANN take into consideration all 
comments it received during its consideration of this application (see letter to Dr. 
Vinton Cerf, attached). 

In response to the GAC’s request for additional information and requests from 
other governments, ICANN released its comprehensive Evaluation Report on all of 
the sponsored top level domain applications in November 2005. The ICANN Board 
elected to defer consideration of the .xxx application pending a review of the Report 
by the GAC. 

The GAC considered the report and additional information during its March 2006 
meeting in Wellington, New Zealand prior to the ICANN Board meeting there. The 
GAC conveyed its views and concerns to the Board through a communique. As part 
of the process in developing that communique, I sent a letter dated March 20, 2006, 
to the GAC Chairman expressing concerns about ICANN’s ability to obtain the pub- 
lic policy benefits promised by the applicant absent enforceable contract terms in 
the proposed .xxx Registry Agreement (see letter to Mr. Sharil Tarmizi, attached). 

On May 10, 2006, the ICANN Board of Directors made a final decision to dis- 
approve the pending application from ICM Registry to manage the proposed .xxx top 
level domain. 


Attachments 

U.S. Department of Commerce — The Assistant Secretary for 

Communications and Information 

Washington, D.C., August 11, 2005 

Dr. Vinton Cerf, 

Senior Vice President, Technology Strategy, 

MCI 

Ashburn, VA. 

Dear Dr. Cerf: 

I understand that the Board of Directors of the Internet Corporation for Assigned 
Names and Numbers (ICANN) is scheduled to consider approval of an agreement 
with the ICM Registry to operate the .xxx top level domain (TLD) on August 16, 
2005. I am writing to urge the Board to ensure that the concerns of all members 
of the Internet community on this issue have been adequately heard and resolved 
before the Board takes action on this application. 

Since the ICANN Board voted to negotiate a contract with ICM Registry for the 
.xxx TLD in June 2005, this issue has garnered widespread public attention and 
concern outside of the ICANN community. The Department of Commerce has re- 
ceived nearly 6,000 letters and e-mails from individuals expressing concern about 
the impact of pornography on families and children and opposing the creation of a 
new top level domain devoted to adult content. We also understand that other coun- 
tries have significant reservations regarding the creation of a .xxx TLD. I believe 
that ICANN has also received many of these concerned comments. The volume of 
correspondence opposed to creation of a .xxx TLD is unprecedented. Given the ex- 
tent of the negative reaction, I request that the Board will provide a proper process 
and adequate additional time for these concerns to be voiced and addressed before 
any additional action takes place on this issue. 
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It is of paramount importance that the Board ensure the best interests of the 
Internet community as a whole are fully considered as it evaluates the addition of 
this new top level domain. Thank you for your attention to this matter. 

Sincerely, 

Michael D. Gallagher. 

cc: Dr. Paul Twomey 


U.S. Department of Commerce — The Assistant Secretary for 

Communications and Information 

Washington, D.C., March 20, 2006 

Mr. Sharil Tarmizi, 

Senior Advisor, Office of the Chairman, 

Malaysian Communications and Multimedia Commission; 

Chair, Government Advisory Committee of ICANN, 

Selangor Darul Ehsan, Malaysia. 


Dear Mr. Tarmizi, 


Pursuant to the ICANN Government Advisory Committee (GAC) meeting in Van- 
couver in November 2005, the Department of Commerce has undertaken an analysis 
of the proposed .xxx Registry Agreement to determine whether its provisions reflect 
the commitments made by ICM Registry. As you will recall, the ICM Registry pres- 
entation to the GAC outlined in some detail the anticipated public interest benefits 
of its application for the .xxx top level domain. 

The attached assessment indicates that the key commitments offered by ICM Reg- 
istry to the GAC are not reflected in the provisions of the proposed .xxx Registry 
Agreement. In your capacity as GAC Chair and GAC liaison to the ICANN Board, 
NTIA would appreciate your sharing this information with both the GAC and the 
Board prior to the Wellington, New Zealand meeting. 

Sincerely, 


John M.R. Kneuer, 
Acting Assistant Secretary. 


cc: Mr. Paul Twomey. 


Omissions in the Proposed .xxx Registry Agreement 

In its application, supporting materials, and presentation to the Governmental 
Advisory Committee in November 2005, ICM Registry (ICM) promised certain public 
interest benefits as part of its bid to operate the .xxx domain. These promises, how- 
ever, have not been included in the proposed .xxx Registry Agreement negotiated 
with ICANN, and thus, ICM is not obligated to provide these public interest bene- 
fits. Section 8.12 of the .xxx Registry Agreement provides in pertinent part: “This 
Agreement (including its Appendices, which form a part of it) constitutes the entire 
agreement of the parties hereto pertaining to the operation of the TLD and super- 
sedes all prior agreements, understandings, negotiations and discussions, whether 
oral or written, between the parties on that subject.” Thus, if ICM is not required 
to provide the public interest benefits by the terms of its registry agreement, it is 
not obligated to do so. 

Below is a sample of the ICM promises that do not appear in the proposed .xxx 
Registry Agreement: 

To Form a Nonprofit Policy Development Entity to Create Rules for .xxx. In the 
.xxx application, ICM stated that it formed a nonprofit Canadian entity (Inter- 
national Foundation for Online Responsibility (IFFOR)) to develop rules and policies 
to govern a new .xxx domain. ICM Application, Part B, at 2-5, 7-13. The proposed 
.xxx Registry Agreement does not require ICM to form or maintain this nonprofit 
entity or to abide by any .xxx rules it would establish. Instead, the proposed .xxx 
Registry Agreement delegates all policy development authority for .xxx to ICM. In 
fact, the proposed .xxx Registry Agreement provides that the IFFOR Board will not 
be created until the day that the agreement is signed and will not be in place until 
90 days after signing. See .xxx Registry Agreement, Appendix S. Moreover, IFFOR 
is not a party to the proposed .xxx Registry Agreement. 

To Require .xxx Registrants to adhere to Best Business Praetices as a condition of 
.xxx registration. ICM promised that IFFOR would develop rules to this effect (ICM 
Application, at 3, 16). There is no requirement to do so in the proposed .xxx Registry 
Agreement and IFFOR is not a party to this agreement. 

To Require all .xxx Registrations to be ICRA Labeled. In its presentation to the 
ICANN Government Advisory Committee, November 29, 2005, ICM promised that 
it would require all .xxx registrations to be labeled according to the Internet Con- 
tent Ratings Association (ICRA) ratings to permit filtering of content. ICM further 
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promised that any website that points to a .xxx site must also be ICRA labeled. 
There is no provision in the proposed .xxx Registry Agreement that would obligate 
ICM to require such labeling. 

To Safeguard Children Online. ICM promised that IFFOR would sponsor the de- 
velopment of technology tools and education programs for parents. (ICM Applica- 
tion, at 3, 16; The Sponsored .xxx TLD Proposals: Executive Summary for the 
ICANN Board, at 2). ICM also promised that IFFOR would fund the participation 
of independent advocates for children (ICM Letter to ICANN, October 9, 2004, at 
17). These promises are not reflected in ICM’s obligations in the proposed .xxx Reg- 
istry Agreement and IFFOR is not a party to this agreement. 

To Combat Child Pornography. ICM promised that IFFOR would provide funding 
and tools to combat online child pornography and to prohibit child pornography in 
the .xxx domain as defined by international law. (ICM Application, at 3; ICM Letter 
to ICANN, August 15, 2005, at 2; ICM’s Responses to Evaluators’ Questions, Ques- 
tion 2). This promise is not reflected in ICM’s obligations in the proposed .xxx Reg- 
istry Agreement and IFFOR is not a party to the agreement. 

To Implement a WHOIS Compliance Program. In its application (ICM Application, 
at 20-21), ICM promised to document false and inaccurate WHOIS data and to im- 
plement additional verification processes. This promise is not reflected in ICM’s obli- 
gations in the proposed .xxx Registry Agreement. 

To Provide Funds for Global Child Initiatives. ICM promised to give IFFOR $10 
per .xxx domain name so that IFFOR can make some of this funding available for 
global child advocacy community targeted especially to eradicate child pornography. 
(ICM Memorandum to the ICANN Board of Directors, November 2, 2004, revised 
December 7, 2004, at 5). ICM also promised that IFFOR would provide grants to 
developing countries in the area of child online protection. (ICM’s Responses to 
Evaluators’ Questions, Question 7). There is no obligation in the proposed .xxx Reg- 
istry A^eement for ICM to fund IFFOR or for IFFOR to provide this kind of finan- 
cial assistance to child advocacy groups or developing countries. Moreover, IFFOR 
is not a party to the .xxx Registry Agreement. 

To Prohibit Child Exploitation ineluding Requiring Proof of Age of Aetors Por- 
trayed in Content in .xxx Domain. In its presentation to ICANN’s Board, April 3, 
2005, ICM promised that this prohibition would appear as part of its registration 
agreement with .xxx domain name holders. There is no obligation in the proposed 
.xxx Registry Agreement to this effect. 

To Promote Responsible Marketing Praetices by Requiring .xxx Registrants to 
Agree to Combat SPAM and Not Use Malicious Codes and Technologies (i.e.. Spoof- 
ing) and other Illegal and Questionable Marketing Practices. ICM Presentation to 
ICANN, April 3, 2005; White Paper, Thinking Outside the Porn Box, Annex B, 
ICM’s Intentions. There is no obligation in the proposed .xxx Registry Agreement 
to this effect. 


Response to Written Questions Submitted by Hon. Daniel K. Inouye to 
Christine N. Jones 

Question 1. Many of the concerns about the proposed VeriSign-ICANN agreement 
are coming from other registrars. The transfer of the dot-com registry to VeriSign 
would affect other registry services as a whole. How do the presumptive renewal 
and guaranteed price increases included in the proposed agreement concern reg- 
istrars? 

Answer. In the current environment, allowing .com prices to increase without cost 
justification is anti-competitive. .Com still has considerable market power making 
up 75 percent of all registered gTLD domain names and 80 percent of the ongoing 
market share. The price increases allowed in the proposed agreement will net 
VeriSign over $1 Billion in incremental revenue based on current growth projec- 
tions, all of which will be passed on directly to consumers, registrars’ customers. 

VeriSign has repeatedly stated that it needs these additional funds to ensure the 
stability and security of the .com DNS. We have no problem with that, but ask then 
that at the very least VeriSign be required to demonstrate that need when request- 
ing all price increases, and be required to invest a significant portion of the addi- 
tional funds in the .com DNS infrastructure. 

We explain our concerns with the presumptive renewal in our response to the 
next question. 

Question 2. Would the proposed agreement possibly hinder ICANN’s ability to be- 
come an autonomous body by relinquishing a substantial amount of control over the 
dot-com registry? 
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Answer. If ICANN’s mission continues to include ensuring the security and sta- 
bility of the Internet’s Domain Name System (DNS), then yes. 

The .com DNS is arguably the most important element of the Internet DNS. Yet 
the proposed agreement basically hands the responsibility of the security and sta- 
bility of the .com DNS entirely over to VeriSign, leaving ICANN very little recourse 
if there are problems. The form of presumptive renewal being proposed in the agree- 
ment allows VeriSign to breach it, even repeatedly, with little more than financial 
penalties as long as they cure the breaches. There is also no requirement for 
VeriSign to invest in the .com DNS infrastructure. 

However, under the current agreement, the conditions of presumptive renewal 
would allow ICANN to make a determination as to VeriSign’s continued ability to 
manage the .com DNS and to provide a substantial service to the Internet commu- 
nity (Section 25. B). Breaches of the agreement and its service level requirements in 
particular, would certainly be a factor in that determination. The current agreement 
also required VeriSign to make substantial investments in the DNS infrastructure 
it was contracted to manage, $200 million to be exact. 

.Com is too important to simply assume that giving VeriSign a perpetual renewal 
without conditions will be incentive enough to ensure they continue operating it re- 
sponsibly, or that they will make the necessary infrastructure investments to ensure 
stable and secure operations. ICANN, at a minimum, must allow itself an out to 
re-bid .com if VeriSign fails to continue to meet the conditions as stated in 26. B of 
its current agreement, and must require VeriSign to make substantial investments 
in the .com DNS infrastructure. 

Question 3. What concerns would the reduced control over the dot-com registry 
and its security measures raise for the registrar community? 

Answer. The reduced control, as a result of the strengthened form of presumptive 
renewal, demonstrates an assumption that ICANN is making — that VeriSign will 
continue to qualify as registry operator for .com and will continue to invest in its 
infrastructure appropriately. .Com is too important to make such assumptions re- 
gardless of VeriSign’s past performance. Investment requirements, cost justifications 
for price increases, and the potential for eventual re-bid would be far more moti- 
vating and provide the Internet community better assurance of reliable performance 
of its most important gTLD. 


Response to Written Questions Submitted by Hon. Daniel K. Inouye to 
Hon. Jon Leibowitz * 

Question 1. What effect would the lack of competition and price controls have on 
competition in the marketplace? 

Answer. Your question raises important issues about the effects of anticompetitive 
conduct and, as I understand it, specifically relates to the competitive effects of the 
proposed settlement agreement between ICANN and VeriSign, Inc. (the “VeriSign 
Settlement Agreement” or “Agreement”). 

Generally, consumers benefit from unfettered competition in the marketplace. 
Consequently, the FTC seeks to prevent business practices that restrain competi- 
tion — including agreements among competitors to limit competition, attempts to mo- 
nopolize an industry through unfair or exclusionary practices, and anticompetitive 
mergers and acquisitions. However, each case requires a careful evaluation of the 
challenged business practice. 

In regard to the competitive implications of the VeriSign Settlement Agreement, 
the Department of Commerce (DOC) and the Department of Justice (DOJ) are both 
already considering this issue. Pursuant to agreements among DOC, VeriSign, and 
ICANN, the VeriSign Settlement Agreement is subject to DOC’ s approval. DOC has 
consulted with interested stakeholders about the Agreement and has sought DOJ’ 
s advice on its competitive effects. I am aware that Senators Hatch and Leahy have 
sent letters to the Secretary of Commerce highlighting the goal of open competition 
and the importance of DOJ’ s guidance with respect to whether the VeriSign Settle- 
ment Agreement has any potential anticompetitive effects. I understand that DOC 
and DOJ are analyzing the competitive implications of the Agreement and assessing 
its effects on both stakeholders within the ICANN community and on American con- 
sumers. 


*The written testimony submitted for the September 20, 2006 hearing reflects the views of 
the Federal Trade Commission (“FTC” or “Commission”). However, my responses to these post- 
hearing questions reflect my own views and do not necessarily reflect the views of the Commis- 
sion or of any other Commissioner. 
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Question 2. What concerns do the lack of justification behind the guaranteed price 
increases raise for you? 

Answer. Again, my understanding is that your question relates to the VeriSign 
Settlement Agreement, which DOC and DOJ are currently reviewing. 

Question 3. Worldwide attention is focused on ICANN and its role in Internet gov- 
ernance. Many nations frustrated over the slow progress toward ICANN autonomy 
are proposing individual governance of the Internet. How would the proposed 
VeriSign agreement affect the road toward autonomy for ICANN? 

Answer. As your question aptly points out, we need to strike the right balance 
to ensure that ICANN’s passage to autonomy progresses as quickly as possible — but 
also responsibly. To this end, DOC has a Joint Project Agreement with ICANN to 
facilitate the transition of the domain name system to the private sector. Pursuant 
to this agreement, DOC advises ICANN on how to improve its transparency and ac- 
countability. It also monitors whether ICANN effectively considers competition in- 
terests in top-level domain management decisions. As part of its periodic review 
process, DOC will evaluate relevant factors, including, if necessary, the effects of the 
VeriSign Settlement Agreement, when considering when to complete the privatiza- 
tion of the domain name system. 

Question 4. If ICANN does not make strides toward the goals of transparency, 
bottom-up management, representation, and stability in a more timely manner than 
it has, how do you think this could effect the progress made at the World Summit 
on the Information Society? 

Answer. I agree that transparency, bottom-up management, representation, and 
stability are important goals for ICANN to pursue and could help instill increased 
confidence in ICANN on the international stage. One key to ensuring transparency 
and stability is ensuring continued access to WHOIS databases, as the Commission 
advocated in its testimony on September 20, 2006. 

I am aware that the international community is focused on ICANN and Internet 
governance as a result of discussions in the World Summit on Information Society — 
and that relevant stakeholders — including DOC, the Department of State, and 
ICANN — are working hard to try to satisfy all relevant interests. As to a specific 
assessment of the progress ICANN has made, DOC continues to monitor ICANN’s 
progress in achieving the important goals you have identified. 

Question 5. How would an unstable political environment affect domain name sys- 
tem (DNS) security and stability? 

Answer. Preserving the security and stability of the Internet is critical. One issue 
that the FTC advocates as a means of preserving the security and stability of the 
Internet is continued access to WHOIS domain name registration data. An unstable 
political environment could lead to a decision not to provide WHOIS data to law en- 
forcement and to the public. This would have extremely negative consequences for 
consumers in the United States and elsewhere, who want agencies like ours to bring 
actions against Internet malefactors that attempt to defraud them or that threaten 
their privacy. 


Response to Written Questions Submitted by Hon. Daniel K. Inouye to 

Ken Silva 

This submission is respectfully submitted on behalf of Mr. Silva in response to 
the questions posed by the Senate Commerce Committee following the hearing on 
September 20, 2006. 

For purposes of background to its responses, VeriSign provides the following brief 
summary of the operation of the Internet and the functional distinctions between 
domain name registries and domain name registrars. 

Background 

The Internet is a network of interconnected computers and computer networks. 
Every computer connected directly to the Internet has a unique address. These ad- 
dresses, which are known as Internet Protocol (“IP”) numbers, are necessary for 
computers to “communicate” with each other over the Internet. An example of an 
IP number might be: 98.27.241.30. Because IP numbers can be cumbersome and dif- 
ficult for Internet users to remember or to use, the IP number system has been 
overlaid with a more “user-friendly” system of domain names: the Internet domain 
name system, or “DNS”. This overlay associates a unique alpha-numeric character 
string — or domain name — with a specific IP number. 

Internet domain names consist of a string of “domains” separated by periods. 
“Top-level” domains, or “TLDs,” are found to the right of the period and include 
(among others) “.com,” “.gov,” “.net,” and “.biz,” which are sometimes referred to as 
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“generic” TLDs (also known as “gTLDs”). Other top-level domains are referred to as 
country code TLDs (also known as “ccTLDs”), and are represented by two-letter ab- 
breviations for each country, such as “.uk” (United Kingdom) and “.ca” (Canada), 
and .eu (Europe). gTLDs are functionally equivalent to ccTLDs. There are approxi- 
mately 250 top-level domains, which are administered and operated by numerous 
entities, both in and outside of the United States. ^ 

“Second-level” domains (SLDs) are those domains immediately to the left of the 
top-level domain, such as “senate” in the domain name “senate.gov.”, or “aol” in 
“aol.com.” There are approximately 100 million second-level domains currently reg- 
istered within the various TLDs. 

Because domain names are essentially “addresses” that allow computers con- 
nected to the Internet to communicate with each other, each domain name must be 
unique, even if it differs from another domain name by only one character (e.g., 
“uscourts.com” is different from “uscourt.com” or “us-courts.com”). A given domain 
name, therefore, can be registered to only one entity. 

VeriSign acts as the “registry” for domain names registered in the .com gTLD in 
accordance with a written agreement with ICANN and through its cooperative 
agreement with the U.S. Department of Commerce. Among the other services 
VeriSign performs as the “registry” for the .com gTLD, VeriSign maintains the de- 
finitive directory that associates registered domain names in this gTLD with the 
corresponding IP numbers of their respective domain name servers. The domain 
name servers, in turn, direct Internet queries to resources such as websites and e- 
mail systems. Under the DNS architecture, one given domain name is essentially 
associated by domain name servers with one IP number or distinct computer. 

For technological reasons, the uniqueness requirements of the DNS architecture 
described above, mandate that there can only be one entity that operates any TLD 
registry that maintains the authoritative database of domain names registered in 
a particular TLD. Accordingly, there can be only one registry operator for .com. 

A domain name is created by an individual or organization that registers the do- 
main name and thereby includes it in the registry’s master database. The individual 
or organization that registers a specific domain name is a “registrant.” Registrants 
do not have direct access to the VeriSign registry. Instead, prospective registrants 
must register domain names through any one of over 800 private companies located 
in the United States and throughout the world that are accredited by, and enter 
into a Registrar Accreditation Agreement with ICANN to act as domain name “reg- 
istrars” for the second-level domain names in the .com gTLD. While there can be 
only one registry for each TLD, there are hundreds of registrars and thousands of 
resellers around the world who sell these domain name registrations to end users. 

Registrars, not registries, sell domain names to registrants, or consumers. There 
are no restrictions by ICANN or the government upon the price for which registrars 
sell domain name services to consumers.^ Nearly all domain name registrars that 
provide domain registration services for the .com gTLD also provide domain name 
registration services for other gTLDs and ccTLDs. For example, according to its 
website, GoDaddy.com, one of the largest Internet domain name registrars, offers 
prospective registrants the ability to register SLDs in 29 gTLDs and ccTLDs in ad- 
dition to the .com gTLD. Domain name registrars set their own prices for domain 
name registration services and the prices registrants are charged by domain name 
registrars to register a domain name within the same TLD vary widely. 

Registrars provide direct services to registrants and prospective registrants, such 
as processing domain name registrations. The VeriSign registry has no contractual 
or other relationship with a registrant. This means that VeriSign has no informa- 
tion as to the identity of a registrant. Conversely, registrars have a contractual rela- 
tionship with registrants and keep all information regarding the registrants. 

Regardless of the price paid for a domain by an end user to a Registrant, the 
name works the same technically on the Internet. The Registries who operate these 
top level domains are responsible for ensuring that queries from around the world 
to that domain are answered (“resolved”) when executed. The volume of these que- 
ries is dictated by the growth of online users around the world and their increased 
usage of the Internet. Over the last decade, the number of users and usage of the 
Internet has grown at a pace that far outstrips the corresponding growth in the 
number of domain names registered worldwide. The ease of use for a user going on- 
line (i.e., access to broadband and wireless devices that are Internet-enabled), access 
to online content in non-English languages, and the meaningfulness of content on- 
line are the key drivers of Internet usage. Even during the historical slowing of do- 
main name registration sales during the “bust” of the Internet bubble, usage contin- 
ued to increase. 
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Question 1. Security is a significant concern of stakeholders and Internet users 
at large. How do you address concerns about the registrar’s lack of a disaster recov- 
ery plan? 

Answer. The lack of effective disaster recovery for registrars, along with the ab- 
sence of registrar security requirements, is a cause for serious concern. Historically, 
in the absence of stringent security requirements for registrars as part of their 
ICANN Accreditation Agreements, registries, such as VeriSign, have been the safety 
net for registrar security deficiencies. Under the current structure of ICANN Reg- 
istrar Accreditation Agreements, registrars have no incentive to, and do not, invest 
in the security or stability of the DNS. Accordingly, the work of insuring the oper- 
ational security and stability of the DNS falls to registries in general, and VeriSign 
in particular for .com, through continued and significant investment beyond that re- 
quired in current contracts. 

In light of the lack of infrastructure investments by registrars, VeriSign supports 
adding requirements to the ICANN Registrar Accreditation Agreements of registrars 
to fill the security and stability void in those agreements and to establish obliga- 
tions in the Registrar Accreditation Agreements that provide ICANN with the abil- 
ity to address security and stability issues (for example through a flexible Con- 
sensus Policy provision such as that currently provided for in Section 3.1 of the pro- 
posed .com Registry Agreement). The Registrar Accreditation Agreement is not part 
of the proposed .com Registry Agreement. 

Since the question above explicitly deals with the disaster recovery systems of 
Registrars, we have provided, below, answers related to the contractual requirement 
of data escrow/disaster recovery, which is a core component to ensure proper dis- 
aster recovery. 

Registrars maintain all personal end-user data related to the sale of a domain 
name which is needed to fully recover the ownership of domain. The registries main- 
tain all data related to the technical elements of the domain’s status and location 
on the Internet, but no personal data. The Registrar Accreditation Agreement, to 
which all ICANN-accredited registrars are parties with ICANN, includes a contrac- 
tual requirement that the registrar maintain an escrow of the registrar specific data 
related to their registrations. (Registrar Accreditation Agt., Sect. 3.4).^ 

A similar obligation exists for the registry operator in the .com registry agreement 
to maintain registry level data as noted above (but no personal data). In particular, 
the registry operator is required to establish at its expense a data escrow or mirror 
site for registry data compiled by the registry operator. (Registry Agt., Sect. 
S.licKi))."* Further specific details of this extensive, structured mirror site obligation 
are set forth in Appendix 1 and Appendix 2 to the .com Registry Agreement. In sum- 
mary, the obligation requires that the registry operator establish an escrow account 
to deposit a complete set of all data identified in section 3.1(c)(i) of the .com Registry 
Agreement to the data escrow provider on a daily and weekly basis. The data is 
verified by the escrow provider for completeness, accuracy, and format accuracy to 
avoid any risk of a failure to restore due to data corruption. In addition, the sched- 
ule, content, format, and procedure for escrow may be changed by ICANN as condi- 
tions warrant or through establishment of Consensus Policies. The intent of the mir- 
ror site obligation is to encapsulate registry operations and identified data into a 
single escrow file available to a third party for escrow storage and recovery.® 

VeriSign is compliant with all requirements to provide updates in escrow (as ex- 
plained more fully in response to Question 3). Through a time-proven process, it has 
a verifiable record of delivering completeness, correctness and integrity of the data 
within each escrow file. VeriSign completes daily and weekly deposits of reports and 
meta-data for all .com domain names. 

Further, VeriSign has a demonstrated record of compliance with its escrow obliga- 
tions and of continual monitoring of related issues. For example, VeriSign switched 
providers of its escrow services in December 2005 because it became apparent that 
most large gTLD registrars were using the same offsite data storage provider which 
was regarded as a possible single point of failure in the system. VeriSign believed 
that this circumstance created a risk to the community at large and, therefore, initi- 
ated a community discussion of this risk, and proposed a transition in its service 
to an alternate provider to eliminate the overlap. The new provider was reviewed 
and approved by ICANN before the transition was made. 

As explained more fully in response to Question 3 below, the proposed .com Reg- 
istry Agreement also includes other substantial, detailed requirements to ensure the 
secure and stable operation of the .com registry, including thorough oversight by 
and accountability to ICANN. For example, the proposed .com Registry Agreement 
expressly adds the further contractual requirement that the registry operator take 
those steps necessary to protect all personal data from loss, misuse, unauthorized 
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disclosure, alteration or destruction and includes monthly data reporting require- 
ments, together with ICANN audits of such reporting. (Registry Agt., Sect. 3.1(c)(ii)). 

Question 2. Does VeriSign have a plan to address these security concerns? 

Answer. As explained above, VeriSign acts as the “registry” (not the registrar) for 
domain names registered in the .com gTLD in accordance with a written agreement 
with ICANN. Accordingly, as explained in response to Question 1, VeriSign does not 
have control over any of the 800 registrars or their disaster recovery plans or secu- 
rity or stability deficiencies. 

However, the work of ensuring security and stability to make up for this gap falls 
to the registries. VeriSign regularly conducts failure mode analyses on all of the 
.com registry systems. This includes testing to insure the mitigation of risks occur- 
ring due to possible failures in hardware and software, the network layer, security 
systems, facility-related issues, and environmental factors. As a financially sound, 
U.S.-based, public company, with robust technical capabilities, VeriSign has a care- 
fully developed plan for data recovery, including provisions for DNS restoration and 
data retrieval, and provisions to facilitate system reconstitution. 

VeriSign believes that the best place to address registrar security concerns is 
through the addition of contractual obligations to the Registrar Accreditation Agree- 
ments of registrars, such as the inclusion of flexible Consensus Policy language such 
as the provision currently included in Section 3.1 of the proposed .com Registry 
Agreement, which gives ICANN the power to address security and other issues. Top- 
ics for such policies and discussions could include registrar business continuity, dis- 
aster recovery and periodic accreditation compliance audit. 

Question 3. Under the proposed agreement VeriSign has no accountability to 
ICANN regarding security measures. How will VeriSign ensure the safety of the 
DNS? 

Answer. The premise of this question is not based on the facts of the proposed 
.com Registry Agreement as the proposed Agreement not only provides substantial 
accountability to ICANN for insuring the security and stability of the registry and 
DNS, it increases the accountability over what is currently called for in existing reg- 
istry agreements that have controlled the operation of the registry during the pre- 
ceding 8 years. Under the preceding agreements, VeriSign has maintained 100 per- 
cent availability of the .com TLD for 8 years, an unparalleled record in Internet se- 
curity and stability. 

Under the proposed .com Registry Agreement, VeriSign is contractually obligated 
to maintain 100 percent availability of the DNS systems for the .com gTLD. (Reg- 
istry Agt., (Sect. 3.1(d)(ii), App. 7, Sect. 7). In order to meet this obligation, VeriSign 
must take all steps necessary to maintain the secure and stable operation of the 
DNS. In fact, numerous provisions of the proposed agreement are specifically di- 
rected to insuring compliance with this contractual obligation, including by placing 
particular and detailed obligations on the registry operator and providing for ongo- 
ing ICANN oversight. The following provisions of the proposed agreement, for exam- 
ple, are cumulative in their requirements: 

VeriSign is obligated to meet detailed functional and performance specifications 
incorporated into the contract in the form of Appendix 7. (Registry Agt., Sect. 
3.1(d)(ii)). These contract requirements were established by experts and standards 
bodies within the Internet community in order to create a secure and stable DNS. 
The registry operator also is required to maintain technical and operational records, 
for inspection and audit by ICANN, sufficient to insure compliance with these speci- 
fications. (7d.).® 

The proposed agreement further provides a process for changes in the contractual 
operational specification or policies affecting the registry through the development 
of Consensus Policies by ICANN, and the Internet community, during the existence 
of the agreement. This process for the adoption of Consensus Policies is expressly 
intended to allow for the continual monitoring and updating of policies affecting the 
registry in order to insure ongoing security and stability in response to changing 
conditions. (Registry Agt., Sect. 3.1(b)). Pursuant to such provisions, for example, 
contractual operational specifications on the registry operator may be changed dur- 
ing the term of the contract as necessary to meet changing conditions affecting the 
security or stability of the DNS or registry database. (Id.). Moreover, unlike the ex- 
isting .com Registry Agreement, or the Registrar Accreditation Agreements, the pro- 
posed agreement adds important flexibility to the process for adopting Consensus 
Policies by allowing the process itself to be changed during the term of the contract 
consistent with the requirements of ICANN’s Bylaws.'^ 

Similarly, the proposed .com Registry Agreement provides procedures for ICANN 
to adopt, on an emergency basis, new policies necessary to maintain the stability 
or security of the DNS. (Registry Agt., Sect. 3.1(a)(i)). The precondition for the exer- 
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cise of this power by ICANN is the determination of the ICANN Board that the 
change is necessary to maintain the security or stability of the DNS. (/d.).® This 
process is an additional oversight and accountability mechanism of substantial 
breadth. 

Therefore, neither the process for the adoption of Consensus Policies, nor the con- 
tractual specifications intended to address security and stability, are frozen in place 
by the contract. Instead, the proposed agreement specifically allows for monitoring 
and changing requirements on the registry operator as necessary to address the 
changing requirements for the security or stability of the DNS. (Registry Agt., Sect. 
3.1(b)(ii)). These flexible procedures provide extraordinary oversight and account- 
ability, including to address new security and stability concerns. 

The proposed .com Registry Agreement also substantially expands ICANN’s over- 
sight, and VeriSign’s accountability to ICANN, over changes in registry services or 
new services introduced by the registry operator, prior to such changes being imple- 
mented. Such oversight includes reviews of changing services by DNS experts and 
public review and comment periods. (Registry Agt., Sect. 3.1(d)(iv)). This process for 
assessing changes in registry services has been used by ICANN as a model for other 
new registry agreements, including .net and .mobi, among others. There is no com- 
parable process in the existing .com Registry Agreement. 

For example, before a change in registry services may be implemented by the reg- 
istry operator, including the introduction of new services, information regarding the 
service and potential security and stability implications must be provided to ICANN. 
ICANN thereafter has the right to review the service, including by seeking advice 
by experts on whether the service might have implications for the security or sta- 
bility of the DNS. ICANN further has the right to submit the proposed change to 
a standing panel of experts to conduct a more detailed analysis of the service prior 
to its adoption by the registry operator. The panel consists of 20 persons expert in 
the design, management and implementation of complex systems and standards-pro- 
tocols utilized in the Internet infrastructure and DNS. In the event the proposed 
change is submitted to the standing panel, the panel shall invite public comment 
on the proposed change. If it is determined that the proposed change creates a rea- 
sonable risk of an adverse affect on security or stability, the registry operator will 
not implement the change. 

The proposed .com Registry Agreement further requires a twice annual security 
and stability review by ICANN of issues regarding security and stability affecting 
the registry. (Registry Agt., Sect.3.1(g)). This requirement does not exist in the cur- 
rent agreement. 

The proposed .com Registry Agreement requires the registry operator to establish 
at its expense a data escrow or mirror site policy for registry data compiled by the 
registry operator. (Registry Agt., Sect. 3.1(c)(i)). The operator is required regularly 
to deposit into the escrow all registry data. The proposed agreement also expressly 
requires the registry operator to take steps to protect all personal data from loss, 
misuse, unauthorized disclosure, alteration or destruction. (Registry Agt., Sect. 
3.1(c)(ii)). 

In addition to these contractual provisions providing accountability, VeriSign also 
engages in other briefings and security activities with ICANN and the Internet com- 
munity. Currently, VeriSign partners with Department of Homeland Security, Na- 
tional Security Administration and other governmental parties regularly to brief 
these agencies on the stability and security of the overall DNS and to give timely 
updates and detailed information regarding attacks and their impact on the Internet 
infrastructure. VeriSign considers this sharing of information and coordination of 
data important to the overall stability of the DNS. 

VeriSign’s technical staff further participates, including by holding key positions 
in Internet standards and security groups, including Root Server System Advisory 
Committee (RSSAC), Security and Stability Advisory Committee (SSAC), Internet 
Engineering Task Force (IETF), Internet Security Alliance (ISA), Information Tech- 
nology — Information Sharing and Analysis Center (IT-ISAC), National Infrastruc- 
ture Protection Center (NIPC), Network Reliability and Interoperability Council 
(NRIC) and National Security Telecommunications Advisory Committee (NSTAC). 
Such open forums enable discussion and development of critical design consider- 
ations for changes to the architecture of the DNS and Internet, both at the root level 
and the interoperability of third-party systems and applications. VeriSign staff has 
authored numerous RFCs that define the myriad of standards, features, and best 
practices of DNS management, security and operations. Through one of these orga- 
nizations, the IETF, for example, VeriSign has initiated, shaped and refined the 
standards for DNS Security Extensions, an important issue in shaping future Inter- 
net security. 
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Therefore, the proposed agreement provides multiple, cumulative requirements on 
the registry operator to insure the stability and security of the registry, provide 
oversight by ICANN, and ensure accountability to ICANN. 

Question 4. How will VeriSign justify the costs of improvements to security sys- 
tems without accountability to ICANN? 

Answer. As explained in response to Question 3 above, the proposed .com Registry 
Agreement provides multiple, cumulative requirements on the registry operator to 
insure the stability and security of the registry, provide oversight by ICANN, and 
ensure accountability to ICANN. The proposed agreement explicitly requires 
VeriSign to meet detailed specifications and other obligations designed to insure a 
secure and stable .com registry. VeriSign has served as the operator of the .com reg- 
istry since its beginnings in 1992. During this period, VeriSign established an un- 
paralleled record in operating a secure and stable re^stry. The proposed .com Reg- 
istry Agreement not only contractually obligates VeriSign to continue to meet that 
standard, the proposed agreement explicitly provides for increased oversight by 
ICANN and the Internet community, through Consensus Policies and other provi- 
sions, to insure that the operator continues to meet, as it has in the past, the chang- 
ing requirements for security and stability for the registry and DNS. 

VeriSign has been a leader in Internet and DNS security throughout its tenure 
as the operator of the .com registry. It has participated in industry boards that have 
helped establish the security and stability requirements for the Internet and DNS. 
VeriSign also has participated in government reviews with the Department of 
Homeland Security and National Security Administration, among other govern- 
mental security organizations, aimed at developing a coordinated security strategy 
for the Internet. 

From the founding of the DNS through today, VeriSign has invested hundreds of 
millions of dollars in creating a secure DNS infrastructure, including as the volume 
of Internet traffic has grown 10,000-fold during just the years 2000 through present. 
No other operator has ever created or run a registry of this magnitude. 

The express terms of the proposed .com Registry Agreement establish substantial 
and detailed accountability for the operation of the .com registry. Moreover, under 
the proposed agreement, VeriSign is contractually obligated to maintain 100 percent 
availability of the DNS systems for the .com gTLD. (Registry Agt., (Sect. 3.1(d)(ii), 
App. 7, Sect. 7). In order to meet this obligation, VeriSign must take all steps nec- 
essary to maintain the secure and stable operation of the DNS. In fact, numerous 
provisions of the proposed agreement are specifically directed to insuring compliance 
with this contractual obligation, including by placing particular and detailed obliga- 
tions on the registry operator and providing for ongoing ICANN oversight as ex- 
plained in response to Question 3. Further, VeriSign’s consistent performance since 
the founding of the DNS, a record spanning more than a decade, establishes beyond 
any reasonable doubt that VeriSign is motivated to continue to invest in and main- 
tain a secure and stable .com registry, a necessity to meet its performance obliga- 
tions under the .com Registry Agreement. 

ICANN has carefully considered the issue of improvements to security and sta- 
bility and the methods to insure investment. Cost-based price regulation is complex, 
costly, and inefficient in the context of preemptive investment in the security and 
stability of the DNS. As a result, regulators have been moving away from such 
strict, command-and-control regulation. Such regulation would be particularly harm- 
ful in light of the need for preemptive investment in the security and stability of 
the DNS. The type of investment that needs to be made is critical and often unpre- 
dictable until after the consequences of an attack are known. The type of work that 
needs to be done requires strategic, critical, and preemptive investment that if de- 
layed or derailed by cost justification assessment models would come too late to 
have an effect. Setting a reasonable price cap that allows for some limited price 
flexibility, together with the extensive price protections in place in the agreement, 
strikes the right balance between providing the incentive and flexibility needed for 
efficient, ongoing, investment to protect security and stability while protecting con- 
sumers. 

As explained more fully in response to Question 5, those price protections include 
among others, the prohibition on VeriSign from discriminating in price among reg- 
istrars or their customers, the requirement that VeriSign give registrars 6 months’ 
notice of proposed price increases,® and the requirement to allow registrations for 
terms up to 10 years. This provision was included in the proposed .com Registry 
Agreement specifically to allow registrants to lock in current prices for up to 10 
years and thereby avoid the impact of any proposed price increase even if the reg- 
istrant choose not to avail themselves of competitive alternatives. (Registry Agt., 
Sect. 7.3(f)). 10 
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ICANN has adopted this carefully considered framework as its model for registry 
operator agreements. In fact, this model already has been implemented with respect 
to the 2006 .net Registry Agreement, over a year ago, and the .mohi Registry Agree- 
ment. 

Question 5. According to the provisions of the proposed agreement, VeriSign can 
increase prices up to 7 percent in most years, resulting in an overall price increase 
of up to 31 percent in 6 years. The proposed agreement includes presumptive re- 
newal and guaranteed price increases in most years. How does VeriSign respond to 
claims of creating a monopoly environment? 

Answer. VeriSign appreciates the opportunity to clear up some misconceptions 
about the effects of the proposed .com Registry Agreement on competition. This 
agreement has been subject to an extensive and thorough competitive review by the 
Department of Commerce with the assistance of the Antitrust Division of the De- 
partment of Justice. VeriSign and ICANN have worked in concert with these De- 
partments. As a result, the proposed agreement is one which promotes the security 
and stability of the Internet by providing the incentives and contractual feasibility 
to make necessary investments in the .com infrastructure. Additionally, the pro- 
posed agreement includes specific provisions providing for increased oversight hy 
ICANN of services provided by the registry, including the adoption of a more effi- 
cient consultative process with clearer guidelines to allow VeriSign to introduce 
changes to or new registry services that can benefit the Internet community and the 
public, while allowing ICANN to review any security, stability and competitive af- 
fects of such services prior to their introduction. 

Price Increases: It is important to recognize that VeriSign does not set the prices 
that consumers and businesses pay for domain name registrations. Those prices are 
set by hundreds of independent domain name registrars, some of whom charge as 
much as $35 for a domain name, while pa 3 dng VeriSign, the registry operator, only 
$6 to provide for operation of the domain name on the Internet. VeriSign’s price to 
registrars for registering .com domain names has been contractually frozen at $6 
since 1999. The new .com agreement provides VeriSign some limited flexibility to 
raise prices at the registry level but it does so under conditions that are tailored 
to protect registrars and their customers by leveraging important market forces. 

The .com registry requires substantial investment in infrastructure, and the de- 
mands on that infrastructure are ever increasing, due to rapidly increasing use of 
the Internet and the growing and more sophisticated attacks on Internet security 
that were described at the Hearing. As explained above, VeriSign has invested 
hundreds of millions of dollars in creating a secure DNS infrastructure, including 
while the volume of Internet traffic has grown 10,000-fold during just the years 
2000 through present. As the registry operator, VeriSign must bear the entire bur- 
den of those investments, and tfie only source of funding is the .com registry fees. 
A freeze on those fees would chill incentives and jeopardize the ability to fund need- 
ed investments. 

The proposed .com Registry Agreement balances the interest in removing inflexi- 
ble price controls against the needs of registrars by strictly limiting the amount and 
rate of price increases by VeriSign as well as providing additional safeguards. Thus, 
VeriSign will only be permitted to increase the price of .com registrations by a meix- 
imum of 7 percent and only in four of the six years of a contract term. Thus, by 
the end of 2012, and assuming VeriSign actually takes the maximum price increases 
permitted by tHe agreement, the cost of a .com domain name registration to reg- 
istrars would be only $7.86. 

Other provisions of the agreement also operate to provide safeguards for con- 
sumers. While there can only be one operator of the .com or any other TLD registry, 
there is competition among numerous TLD registries for the business of domain 
name registrants. There are over 250 TLD registries worldwide. Most domain name 
registrants can choose among many generic TLDs (gTLDs) such as .com, .biz, .info, 
.org, .net, and others, and also have choices from among country code TLDs 
(ccTLDs) such as .de, .uk, .jp, .us and many others — including the recently intro- 
duced .eu for registrants with activity anywhere in the European Union. Many do- 
main registrars promote these different TLDs as competitive alternatives for their 
customers. If registrars view .com as unduly expensive, they can use pricing and 
promotion to steer registrants to other TLDs. Building on such competitive facts, 
provisions of the proposed .com Registry Agreement leverage competitive market 
forces to protect consumers. 

First, the proposed .com Registry Agreement expressly prohibits VeriSign from 
discriminating in price among registrars or their customers. (Registry Agt., Sect. 
7.3(e)). VeriSign cannot charge a higher price for renewals of a .com domain name 
registration than it charges for a new registration. It cannot charge U.S. registrants/ 
registrars a higher price than it charges foreign registrants/registrars. Seventy five 
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percent of the growth in Internet usage is occurring outside the U.S. and it is esti- 
mated that over 60 percent of all domain name registrations come from non-U.S. 
registrants. More than half the domain names worldwide are registered in TLDs 
other than .com. Thus, the ongoing competition to attract new registrants to .com — 
particularly in foreign countries, where .com lags behind ccTLDs and where the 
overwhelming growth in Internet use and domain name registration is occurring — 
will force VeriSign to set its prices for all registrants at a level dictated by competi- 
tive forces worldwide. At the same time, increasing competition from search, key- 
words and new Internet navigation methods constrain domain name pricing. 

Second, the proposed .com Registry Agreement includes a provision requiring 
VeriSign to give registrars 6 months’ notice of proposed price increases, and to allow 
registrations for terms up to 10 years at the existing price. This provision was in- 
cluded in the agreement specifically to allow registrants to lock in current prices for 
up to 10 years and thereby avoid the impact of a proposed price increase even if 
they choose not to avail themselves of competitive alternatives. (Registry Agt., Sect. 
7.3(f)). 13 

Therefore, while VeriSign for technical reasons must be the sole operator of the 
.com registry, it is not a “monopoly” in terms of competitive choices to consumers. 
The provisions of the .com Registry Agreement gradually relax the 8-year freeze on 
VeriSign’s pricing, but set strict caps on future price increases and include terms 
that in any circumstances would prevent VeriSign from charging a supracompetitive 
price for domain name registrations. 

Strict price controls are strongly disfavored as a matter of public policy. Even in 
cases where firms have dominant market shares, and their market position stems 
in part from governmental grants, price controls are often eschewed, n Given the 
competitive forces at work, allowing VeriSign some carefully limited pricing flexi- 
bility is plainly in the public interest, especially given that unlike most contracts, 
the .com Registry Agreement allows ICANN, through the adoption of Consensus 
Policies, to change the operational performance requirements for the registry, or re- 
quire it to provide new services. 

Presumptive Renewal: The renewal provisions of the proposed .com Registry 
Agreement are virtually identical to the renewal provisions in the existing agree- 
ment, which were approved by the Department of Commerce in 2001. Both require 
renewal absent a material breach of the agreement or other circumstances not 
present here. The existing a^eement also specifically provides that this presump- 
tive renewal provision “shall be included in any renewed Registry Agreement.” Con- 
sistent with renewal models in other infrastructure industries, presumptive renewal 
is representative of the renewal model ICANN is pursuing in its registry agree- 
ments generally, as set out in the .net and .mobi agreements. 

The 2001 .com Registry Agreement provides that the agreement “shall be” re- 
newed absent a material breach of the agreement. (2001 Registry Agt., Sect. 25). 
With respect to the provision concerning a breach of the registry agreement, the ex- 
isting and proposed agreements contain minor differences. Unlike the existing 
agreement, the proposed agreement provides that a neutral arbitrator must deter- 
mine that the registry operator is in breach of the agreement before such a dispute 
over contractual performance may be the basis for denying renewal. This change is 
designed to protect VeriSign from the potential loss of its investment in the registry 
based on a good faith disagreement as to whether particular conduct may be within 
the scope of the agreement, or the possible use of a claim of breach to extract con- 
cessions under the contract. Disagreements regarding the interpretation of the reg- 
istry agreement have arisen between ICANN and VeriSign from time to time in the 
past. The change is thus necessary to resolve potential uncertainties in performance 
of the registry agreement. Certainty in the operation of the registry is necessary to 
allow ongoing investment in the DNS infrastructure. 

The proposed .com Registry Agreement also allows VeriSign an opportunity to 
cure a breach, which is a standard term of commercial contracts, especially impor- 
tant to contractual certainty in a changing environment for contractual performance 
such as the Internet. The same clause has been adopted for this same reason in 
other registry agreements, such as the .net and .mobi Registry Agreements. 

Accordingly, there has been no loss of a previously existing opportunity for com- 
petitive bidding to replace VeriSign as the operator of the .com registry in the ab- 
sence of material and uncured breach by VeriSign. 

The right to renewal of the .com agreement so long as VeriSign lives by its terms 
is an enforceable contract right that VeriSign already has. Such a provision is crit- 
ical in order to allow the registry operator to make the ongoing and substantial in- 
vestment in the DNS infrastructure necessary to its stability and security. 

Despite the claims from self-interested opponent registrars, the proposed .com 
Registry Agreement does not make any significant change in VeriSign’s existing 
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contractual rights to retain its role as the .com registry operator so long as it is per- 
forming in accord with the requirements of the agreement. The explicit terms of the 
existing agreement require that it be renewed upon its expiration and that the re- 
newal agreement include a similar provision. 

Presumptive renewal, or a renewal expectancy, is a common feature of contracts, 
licenses and franchises that involve long-term investments for some public purpose. 
Such terms are used in varying ways in broadcast, cable, satellite and other commu- 
nications licenses, utility franchises and other similar agreements. Without a re- 
newal expectancy, a firm would find it difficult to justify making substantial invest- 
ments that would take a long time to recoup. With only a 6-year contract term, and 
with capped prices, an economically rational registry operator would think long and 
hard about investing millions of dollars in new infrastructure and systems to meet 
emerging security threats or to respond to increased demand caused by new Inter- 
net business models, such as the substantial (and largely unremunerated) demands 
caused by domain name speculators and pay-per-click advertising businesses. A ra- 
tional registry operator that did not have a secure renewal expectancy might well 
defer such investments, particularly toward the end of the contract term, and then 
promise to make them as part of a renewal bid. Such a framework would undermine 
the security and stability of the DNS. Moreover, renewal expectancy provides dis- 
tinct benefits for consumers in the form of quality of service as well as a minimized 
risk of service disruption due to an arbitrary change in an underlying operator that 
has provided satisfactory levels of service. 

VeriSign has been a highly reliable steward of the .com registry for over 8 years. 
It has provided unmatched reliability under the most demanding conditions — unlike 
the problems experienced by firms operating even much smaller and less demanding 
registries. Competition from other TLD registries will continue to force VeriSign to 
keep .com competitive. It would be short-sighted to destroy the renewal expectancy, 
there is no competitive reason to do so, and it would be a violation of the express 
terms of the existing registry agreement. 

Question 6. How will the exclusion of competition affect pricing elsewhere in the 
Internet registry market? 

Answer. As the answer to Question 5 demonstrates, the .com agreement will not 
exclude competition. There can be only one registry for the .com TLD or for each 
of the other more than 250 registries worldwide. The proposed .com Registry Agree- 
ment, therefore, will neither eliminate any competition that would otherwise have 
existed nor will it create monopoly power. Rather it carefully regulates the terms, 
including the price, on which VeriSign can provide domain name registrations and 
other registry services to registrars. Within the constraints of the proposed agree- 
ment, VeriSign’s pricing will continue to be affected by the competitive pricing and 
service offerings of other competitive registries, particularly as VeriSign seeks to as- 
sist registrars in penetrating growing geographic markets in Asia, Europe, Latin 
America and the rest of the world, and as the registry competes for new domain 
name registrations in addition to renewal registrations, which must be priced in a 
nondiscriminatory manner. Likewise, innovative services from VeriSign will stimu- 
late competition from those other registries and benefit domain name registrars and 
registrants in the U.S. and around the world. 

Question 7. What strength is there to the VeriSign claims that not renewing its 
contract will be a detriment to DNS security? 

Answer. Currently, .com is under constant attack from hackers who realize the 
economic devastation that would result if businesses that use the Internet to con- 
duct business via IP-based transactions (banks, brokerage houses, stock exchanges, 
online commerce) were to lose the ability to connect to one another via the Internet. 
For example, NASD, the London Stock Exchange, Chase Bank and Citibank run on 
.com name servers. Additionally, all of the agencies reliant upon .gov sites are reli- 
ant upon .com as the resolution provider for all .gov names is routed through a .com 
server. In February 2005, the World Bank Operations and Policy Department issued 
a paper which outlined the development of capital markets and eFraud. The paper 
reviewed several case studies of fraud perpetrated upon various financial systems 
around the word. The common component of the study reveals that the world’s eco- 
nomic models more and more heavily rely upon IP-based transactions. While hack- 
ers attempt to penetrate these institutions at various levels, including the private 
hardware and software of banks, it is important to note that malicious attacks 
against the core infrastructure providers of the DNS are the most malicious way to 
attack the broadest segment of the financial institutions of this country. Financial 
institutions are just one example of a meaningful U.S. business sector reliant upon 
the stability of the DNS. 
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As explained in response to Question 5, due to the large ongoing investments cur- 
rently required in the development and maintenance of the DNS infrastructure, 
such uncertainty would negatively impact the willingness of registry operators to 
make the investments necessary to guarantee a secure and stable registry, espe- 
cially toward the end of a registry term. 

The express terms of the existing 2001 .com Registry Agreement require renewal. 
More specifically, Section 25 of the agreement explicitly provides that the agreement 
“shall be” renewed (absent a material breach of the agreement, which is not present 
here) and that this renewal clause shall be included in the renewal agreement. A 
failure to comply with the renewal terms would constitute a breach of the registry 
contract contrary to law. Equally fundamental, a failure to comply with such terms, 
which are included in other registry agreements as well as the 2001 .com Registry 
Agreement, would interject damaging uncertainty into the performance of such 
agreements. 

Furthermore, only VeriSign has demonstrated an ability to operate in a secure 
and stable manner a registry of the magnitude of the .com registry, as explained 
above. ICANN explicitly adopted such a finding in November 2005. Unlike any 
other registry operator, VeriSign has operated the .Com registry, the largest Inter- 
net registry, at 100 percent availability (with no interruption of service) for the last 
8 years. Thus, there would be inherent risks to the security and stability of the DNS 
in failing to renew the agreement (as its express terms require) and transitioning 
the operation of the registry to a new and necessarily untested operator. 

Endnotes 

1 Examples of TLDs available around the world include: .info, .org, com, .travel, 
.mil, .us, .biz, .net, info, .name, .bz, .jp, eu, .uk, .de, .kr, .mobi, .asia, .museum, .pro, 
.jobs, .edu, .gov. Norid, the .no registry, has a complete list of worldwide domains 
at http:! / www.norid.no I domenenavnbaser I domreg.html. 

2 For example, registrars today offer a .com domain for prices from $1.99 to $1,000 
within packages and as stand alone sales. Domain name registrations are accepted 
by Registrars from end-users for terms of 1 (one) year to one-hundred (100) years. 
The registrars differentiate themselves from one another based upon value added 
services, customer service and some compete upon price. Regardless of the registrar 
model, the registry wholesale price for a .com name, as set in the ICANN contract 
with VeriSign is currently $6.00. This is the “wholesale” rate. The average “retail” 
rate charged for a .com domain today is $21.00. 

^The Registrar Accreditation Agreement provides as follows: 

“3.6 Data Escrow. During the Term of this Agreement, on a schedule, under the 
terms, and in the format specified by ICANN, Registrar shall submit an elec- 
tronic copy of the database described in Subsection 3.4.1 to ICANN or, at Reg- 
istrar’s election and at its expense, to a reputable escrow agent mutually ap- 
proved by Registrar and ICANN, such approval also not to be unreasonably 
withheld by either party. The data shall be held under an agreement among 
Registrar, ICANN, and the escrow agent (if any) providing that (1) the data 
shall be received and held in escrow, with no use other than verification that 
the deposited data is complete, consistent, and in proper format, until released 
to ICANN; (2) the data shall be released from escrow upon expiration without 
renewal or termination of this Agreement; and (3) ICANN’s rights under the es- 
crow agreement shall be assigned with any assignment of this Agreement. The 
escrow shall provide that in the event the escrow is released under this Sub- 
section, ICANN (or its assignee) shall have a nonexclusive, irrevocable, royalty- 
free license to exercise (only for transitional purposes) or have exercised all 
rights necessary to provide Registrar Services.” 

http: I / www.icann.org / registrars / ra-agreement-17may01.htm#3 . 

“^The .com Registry Agreement Provides as follows: 

“Data Escrow. Registry Operator shall establish at its expense a data escrow 
or mirror site policy for the Registry Data compiled by Registry Operator. Reg- 
istry Data, as used in this Agreement, shall mean the following: (1) data for do- 
mains sponsored by all registrars, consisting of domain name, server name for 
each nameserver, registrar id, updated date, creation date, expiration date, sta- 
tus information, and DNSSEC-related key material; (2) data for nameservers 
sponsored by all registrars consisting of server name, each IP address, registrar 
id, updated date, creation date, expiration date, and status information; (3) data 
for registrars sponsoring registered domains and nameservers, consisting of reg- 
istrar id, registrar address, registrar telephone number, registrar e-mail ad- 
dress, WHOIS server, referral URL, updated date and the name, telephone 
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number, and e-mail address of all the registrar’s administrative, billing, and 
technical contacts; (4) domain name registrant data collected by the Registry 
Operator from registrars as part of or following registration of a domain name; 
and (5) the DNSSEC-related material necessary to sign the .com zone (e.g., pub- 
lic and private portions of .com zone key-signing keys and zone-signing keys). 
The escrow agent or mirror-site manager, and the obligations thereof, shall be 
mutually agreed upon by ICANN and Registry Operator on commercially rea- 
sonable standards that are technically and practically sufficient to allow a suc- 
cessor registry operator to assume management of the TLD. To this end. Reg- 
istry Operator shall periodically deposit into escrow all Registry Data on a 
schedule (not more frequently than weekly for a complete set of Registry Data, 
and daily for incremental updates) and in an electronic format mutually ap- 
proved from time to time by Registry Operator and ICANN, such approval not 
to be unreasonably withheld by either party. In addition. Registry Operator will 
deposit into escrow that data collected from registrars as part of offering Reg- 
istry Services introduced after the Effective Date of this Agreement. The escrow 
shall be maintained, at Registry Operator’s expense, by a reputable escrow 
agent mutually approved by Registry Operator and ICANN, such approval also 
not to be unreasonably withheld by either party. The schedule, content, format, 
and procedure for escrow deposits shall be as reasonably established by ICANN 
from time to time, and as set forth in Appendix 1 hereto. Changes to the sched- 
ule, content, format, and procedure may be made only with the mutual written 
consent of ICANN and Registry Operator (which neither party shall unreason- 
ably withhold) or through the establishment of a Consensus Policy as outlined 
in Section 3.1(b) above. The escrow shall be held under an agreement, substan- 
tially in the form of Appendix 2, as the same may be revised from time to time, 
among ICANN, Registry Operator, and the escrow agent.” 

.Com Registry Agt., Sect. 3.1(c)(i); http: I / www.icann.org I topics I vrsn-settlement I 
revised-com-agreement-clean-29jan06.pdf. 

^http:! twww. icann.org / tlds / agreements / verisign / registry-agmt-appl- 
22sep05.pdf; http: t / www.icann.org / tlds / agreements / verisign / registry -agmt-app2-22 
sep05.pdf. 

® For example, the .com Registry Agreement provides for reporting and audit with 
associated penalties: 

“Functional and Performance Specifications. Functional and Performance Speci- 
fications for operation of the TLD shall be as set forth in Appendix 7 hereto, 
and shall address without limitation DNS services; operation of the shared reg- 
istration system; and nameserver operations. Registry Operator shall keep tech- 
nical and operational records sufficient to evidence compliance with such speci- 
fications for at least 1 year, which records ICANN may audit from time to time 
upon reasonable advance written notice, provided that such audits shall not ex- 
ceed one per quarter. Any such audit shall be at ICANN’s cost.” 

Registry Agt., Sect. 3.1(d)(ii). 

“Monthly Reporting. Within 20 days following the end of each calendar month, 
Registry Operator shall prepare and deliver to ICANN a report providing such 
data and in the format specified in Appendix 4. ICANN may audit Registry Op- 
erator’s books and records relating to data contained in monthly reports from 
time to time upon reasonable advance written notice, provided that such audits 
shall not exceed one per quarter. Any such audit shall be at ICANN’s cost, un- 
less such audit shall reflect a material discrepancy or discrepancies in the data 
provided by Registry Operator. In the latter event. Registry Operator shall re- 
imburse ICANN for all costs and expenses associated with such audit, which 
reimbursement shall be paid together with the next Registry-Level Fee payment 
due following the date of transmittal of the cost statement for such audit.” 

Registry Agt., Sect. 3.1(c)(iv). 

'^The provision provides as follows: 

“Consensus Policies. 

(i) At all times during the term of this Agreement and subject to the terms here- 
of, Registry Operator will fully comply with and implement all Consensus Poli- 
cies found at http:llwww.icann.orglgenerallconsensus-policies.htm, as of the 
Effective Date and as may in the future be developed and adopted in accordance 
with ICANN’s Bylaws and as set forth below. 

(ii) “Consensus Policies” are those specifications or policies established (1) pur- 
suant to the procedure set forth in ICANN’s Bylaws and due process, and (2) 
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covering those topics listed in Section 3.1(b)(iv) below. The Consensus Policy de- 
velopment process and procedure set forth in ICANN’s Bylaws may be revised 
from time to time in accordance with ICANN’s Bylaws, and any Consensus Pol- 
icy that is adopted through such a revised process and covering those topics list- 
ed in Section 3.1(b)(iv) below shall be considered a Consensus Policy for pur- 
poses of this Agreement. 

(hi) For all purposes under this Agreement, the policies identified at http:! / 
www.icann.orglgenerallconsensus-policies.htm shall be treated in the same 
manner and have the same effect as “Consensus Policies.” 

(A) Consensus Policies and the procedures by which they are developed shall 
be designed to produce, to the extent possible, a consensus of Internet stake- 
holders, including the operators of gTLDs. Consensus Policies shall relate to one 
or more of the following: (1) issues for which uniform or coordinated resolution 
is reasonably necessary to facilitate interoperability. Security and/or Stability of 
the Internet or DNS; (2) functional and performance specifications for the provi- 
sion of Registry Services (as defined in Section 3.1(d)(iii) below); (3) Security 
and Stability of the registry database for the TLD; (4) registry policies reason- 
ably necessary to implement Consensus Policies relating to registry operations 
or registrars; or (5) resolution of disputes regarding the registration of domain 
names (as opposed to the use of such domain names). . . . 

®That provision states as follows: 

“Preserve Security and Stability. 

ICANN Temporary Specifications or Policies. Registry Operator shall comply 
with and implement all specifications or policies established by the ICANN 
Board of Directors on a temporary basis, if adopted by the ICANN Board of Di- 
rectors by a vote of at least two-thirds of its members, so long as the ICANN 
Board of Directors reasonably determines that immediate temporary establish- 
ment of a specification or policy on the subject is necessary to maintain the Sta- 
bility or Security (as defined in Section 3.1(d)(iv)(G)) of Registry Services or the 
DNS (‘Temporary Specification or Policies’). Such proposed specification or pol- 
icy shall be as narrowly tailored as feasible to achieve those objectives. In estab- 
lishing any specification or policy under this provision, the ICANN Board of Di- 
rectors shall state the period of time for which the specification or policy is tem- 
porarily adopted and shall immediately implement the Consensus Policy devel- 
opment process set forth in ICANN’s IBylaws. ICANN shall also issue an advi- 
sory statement containing a detailed explanation of its reasons for adopting the 
temporary specification or policy and why the Board believes the specification 
or policy should receive the consensus support of Internet stakeholders. If the 
period of time for which the specification or policy is adopted exceeds 90 days, 
the ICANN Board shall reaffirm its temporary adoption every 90 days for a 
total period not to exceed 1 year, in order to maintain such policy in effect until 
such time as it shall become a Consensus Policy as described in Section 3.1(b) 
below. If during such 1 year period, the temporary policy or specification does 
not become a Consensus Policy meeting the standard set forth in Section 3.1(b) 
below. Registry Operator shall no longer be required to comply with or imple- 
ment such temporary policy or specification.” 

^“No price discrimination. Registry Operator shall charge the same price for Reg- 
istry Services subject to this Section 7.3, not to exceed the Maximum Price, to all 
ICANN-accredited registrars (provided that volume discounts and marketing sup- 
port and incentive programs may be made if the same opportunities to qualify for 
those discounts and marketing support and incentive programs is available to all 
ICANN-accredited registrars).” Registry Agt., Sect. 7.3(e). 

“Adjustments to Pricing for Domain Name Registrations. Registry Operator 
shall provide no less than 6 months prior notice in advance of any increase for new 
and renewal domain name registrations and for transferring a domain name reg- 
istration from one ICANN-accredited registrar to another and shall continue to offer 
for periods of up to 10 years new and renewal domain name registrations fixed at 
the price in effect at the time such offer is accepted. Registry Operator is not re- 
quired to give notice of the imposition of the Variable Registry-Level Fee set forth 
in Section 7.2(c).” Registry Agt., Sect. 7.3(f). 

'^iThe Shared Registration System (SRS) is the system maintained by VeriSign 
as the .com registry operator that allows multiple registrars to register and modify 
domain names in the registry database. That, however, is only one component of 
VeriSign’s obligations under the .com Registry Agreement. VeriSign also must main- 
tain Domain Name System (DNS) up-time and availability. The DNS is what makes 
the domain name “work” as a resource or locator on the Internet. Stated another 
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way, the DNS is what enables you as an Internet user to simply type in a domain 
name on your computer, such as “verisign.com,” and connect it over the Internet to 
the machine that hosts the proper website. The receipt of DNS queries or “look-ups” 
for a particular domain name is separate from the SRS or its operation. Were the 
DNS to fail, the Internet would not work. Were the SRS to fail, traffic would still 
move over the Internet. Registrars could simply not register new domain names. 
While domain names may be registered through the SRS and VeriSign receives $6, 
that fee also must cover resources for processing queries/trafEc. Such fee, however, 
is not based on the volume of queries/traffic received. The explosion of Internet-en- 
abled devices and applications — text messaging, music downloads, VoIP, Black- 
berries and device-to-device communications — has created exponential growth in 
Internet traffic far surpassing the increase in users. While users have increased 300 
percent since 2000, the volume of traffic on .com and .net has increased 1,900 per- 
cent in that same period. Domain name registration has not kept pace. 

“No price discrimination. Registry Operator shall charge the same price for Reg- 
istry Services subject to this Section 7.3, not to exceed the Maximum Price, to all 
ICANN-accredited registrars (provided that volume discounts and marketing sup- 
port and incentive programs may be made if the same opportunities to qualify for 
those discounts and marketing support and incentive programs is available to all 
ICANN-accredited registrars).” Registry Agt., Sect. 7.3(e). 

^^“Adjustments to Pricing for Domain Name Registrations. Registry Operator 
shall provide no less than 6 months prior notice in advance of any increase for new 
and renewal domain name registrations and for transferring a domain name reg- 
istration from one ICANN-accredited registrar to another and shall continue to offer 
for periods of up to 10 years new and renewal domain name registrations fixed at 
the price in effect at the time such offer is accepted. Registry Operator is not re- 
quired to give notice of the imposition of the Variable Registry-Level Fee set forth 
in Section 7.2(c).” Registry Agt., Sect. 7.3(f). 

11 For example, a pharmaceutical company may obtain a patent on a drug that 
is the sole drug approved by the FDA for a particular indication. An airline may 
dominate a hub airport due to a lack of gate space or takeoffdanding slots. A fran- 
chised cable operator may be the sole provider of broadband Internet access in an 
area where the local telephone company cannot feasibly provide DSL service. In 
none of these situations does the government regulate prices. 

1® That provision provides as follows: 

“25. Procedure for Subsequent Agreement 

B. ICANN shall consider the Renewal Proposal for a period of no more than 6 
months before deciding whether to call for competing proposals from potential 
successor registry operators for the Registry TLD. During this 6 month period, 
ICANN may request Registry Operator to provide, and Registry Operator shall 
provide, additional information concerning the Renewal Proposal that ICANN 
determines to be reasonably necessary to make its decision. Following consider- 
ation of the Renewal Proposal, Registry Operator shall be awarded a four-year 
renewal term unless ICANN demonstrates that: (a) Registry Operator is in ma- 
terial breach of this Registry Agreement, (b) Registry Operator has not provided 
and will not provide a substantial service to the Internet community in its per- 
formance under this Registry Agreement, (c) Registry Operator is not qualified 
to operate the Registry TLD during the renewal term, or (d) the maximum price 
for initial and renewal registrations proposed in the Renewal Proposal exceeds 
the price permitted under Section 22 of this Registry Agreement. The terms of 
the registry agreement for the renewal term shall be in substantial conformity 
with the terms of registry agreements between ICANN and operators of other 
open TLDs then in effect, provided that this Section 25 shall be included in any 
renewed Registry Agreement unless Registry Operator and ICANN mutually 
agree to alternative language. 

C. In the event that ICANN fails to award a renewal registry agreement to Reg- 
istry Operator within the 6-month period described above, Registry Operator 
shall have the right to challenge the reasonableness of that failure under the 
provisions of Section 15. 

D. In the event ICANN does not award Registry Operator a renewal registry 
agreement according to Subsection 25(B), ICANN shall call for competitive pro- 
posals and Registry Operator shall be eligible, to the same extent as similarly 
situated entities, to submit a proposal in response to such a call and to be con- 
sidered for such award.” 

http: II WWW. icann. org / announcements / announcement-21 nov05. htm. 
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Questions Submitted by Hon. Daniel K. Inouye to Dr. Paul Twomey * 

Question 1. One of ICANN’s overarching principles is to create a transparent, 
“bottom-up” consensus driven system of management. Many critics argue that 
ICANN has strayed far away from this principle. What response do you have to 
claims that ICANN does not satisfactorily inform the public of its decisionmaking 
process, such as, in the case of the dot-biz, dot-org, and dot-info proposed contract 
agreements? 

Question 2. How do you respond to critics who note that ICANN has yet to sub- 
stantially involve Internet users? For example, the stalled, and ultimately aban- 
doned, attempt to hold open elections. 

Question 3. Is the involvement that the NTIA had on the creation of the dot-xxx 
domain name representative of the decisionmaking process in ICANN? 

Question 4. ICANN has been praised for its attention and success in the areas 
of stability and security of the DNS. However, the proposed agreement with 
VeriSign and the general evolution of the Internet has raised new concerns. Under 
the terms of the proposed agreement, ICANN and VeriSign are only required to 
meet to discuss security every 6 months. Is 6 months often enough to ensure the 
security of the DNS? 

Question 5. The terms of the proposed VeriSign agreement reduces ICANN’s 
power to terminate the agreement. Compared to the 2001 agreement, how does this 
weaken ICANN’s ability to oversee the dot-com registry and maintain the security 
of the DNS? 

Question 6. Do you think that breaking ties with NTIA’s governance will make 
the Internet vulnerable to other governing bodies? 

Question 7. How do you address the concerns of those who feel that the MOU 
should be renewed before the proposed VeriSign agreement is approved or denied 
in order to address security concerns? 

Question 8. The lack of transparency in the ICANN decisionmaking system also 
extends to the budget. How do you address concerns about a lack of accountability 
for the ICANN budget? 


o 


Response to written questions was not available at the time this hearing went to press. 



